Europe is consulting stakeholders on cross-border access to e-evidence. Here’s what we told them.

In September and October, the European Commission opened a public consultation on improving cross-border access to electronic evidence in criminal matters. The objective was to gather input from a broad range of interested stakeholders so the Commission could factor in these perspectives and expertise when they introduce the new “e-evidence” legislation that is now expected at the end of February.

Law enforcement agencies and national experts have weighed in to share their experiences with obtaining cross-border electronic evidence in the member states, and other stakeholders helped paint a full picture of the practical and legal implications of the current gaps and weaknesses in national and EU-level rules and regulations. NGOs like Access Now and European Digital Rights (EDRi), meanwhile, focused on the impact on human rights.

This is one of several steps that the Commission has undertaken to address challenges in cross-border criminal investigations.  In autumn 2016, Europe’s national governments collectively took aim at encryption in the context of cross-border investigations, alleging that law enforcement cannot do its job if we all communicate securely.

To many of us in the digital rights community, this is a tale as old as time. Needless to say, Access Now supports strong encryption, which is vital for keeping everyone safe, in the EU and across the globe.

It has already been a long road as we work to figure out exactly what needs to be done in order for law enforcement to ensure public safety and address the challenges they face, while also respecting our fundamental rights and maintaining the security and integrity of our communications infrastructure as a whole.

Here’s a look at the context for our submission on cross-border access to e-evidence, recent relevant developments, and key points in our advice for the Commission.

What is the cross-border access to e-evidence consultation about?

There are a lot of subtleties in this file, but essentially, the Commission is trying to improve on the existing frameworks for cross-border exchange of information in criminal matters both within the EU and beyond its borders, responding to pressure from national governments and the role that US-based tech companies are playing in the global digital ecosystem.

In the international context, that should mean engaging in reform of the Mutual Legal Assistance Treaty (MLAT) system. MLATs provide a legal framework under which government institutions from different countries can exchange information, and it is intended to guarantee the rights of the individual under each legal framework. We have long argued that the MLAT system is burdensome and in dire need of reform, but the Commission’s main course of action so far has been to attempt to circumvent this system entirely. The Commission has proposed creating so-called direct cooperation between a state (or a state agency, such as a law enforcement agency) and a tech company that is holding the data the state is seeking. Access Now opposes direct cooperation, both for content and and non-content data, including metadata. To protect human rights, the EU should focus on fixing the MLAT process, rather than finding ways to bypass it.

The EU’s relatively new internal system for access to information among member states is built on a mutual recognition framework that is granularly replacing the MLAT mechanisms. The primary legislative piece that governs this area is the directive on the European Investigation Order (EIO), which only entered into force in May of last year. The EIO aims to offer solutions for all investigations that have a cross-border element, regardless of the nature of the crime, including those involving alleged evidence such as a bloody sweater, witness testimony, or an email.

The EIO has serious flaws, but we believe a proper assessment is necessary to determine how to address them, rather than embarking on a new legislative project only months after the EIO has entered into force. There were actually initial expert meetings on this cross border access to e-evidence file before May.

Another part of this file regards direct access to data — which has been synonymous with government hacking or remote access. In our report on human rights and government hacking, we concluded that there must be a presumptive prohibition on all government hacking and heightened protections when hacking is authorised. Throughout the months of expert meetings and consultations on this matter, we have repeatedly pointed out that any step in that direction must come with codification of a strong framework to ensure that government hacking respects human rights. It’s yet to be seen how much the Commission took on board from the consultation and whether the new law will address such hacking at all. The Commission acknowledged that “those investigation techniques have to be considered with caution in view of their potential invasiveness and the risk for fundamental rights and privacy”. To protect human rights, the previously published technical paper needs substantial improvement if and when it is turned into legislative action. We do not know yet whether the February proposal will include any elements of this direct access approach.

In our submission to the consultation we argue that states should prioritise MLAT improvements over additional measures. This is in part because direct cooperation (as currently envisioned) would substantially interfere with human rights, including the rights to privacy and freedom of expression.

The consultation also has a worryingly strong focus on the location of data as a determinant of cooperation; this is highly problematic. During this consultation process (which has been taking place through several stakeholder round-tables over the past year), most participants have acknowledged repeatedly that the physical location of data is less relevant than the location of the person, their device, and their activity. Adding this complexity — using the location as determinant — could compound the existing issues with data localization.

Finally, we regret that the structure and some of the questions of the consultation is skewed, as compared to previous Commission consultations on this topic. Civil society has had only limited opportunity to weigh in, either because a question is restricted to respondents from law enforcement; or the consultation doesn’t allow adding a more detailed explanation to an answer unless the answer is favorable to the Commission’s view; or the framing of a question reflects bias at the outset. We welcome, however, the opportunity the Commission has provided to participate in expert meetings, give feedback on the technical paper and other documents, and to answer the public consultation.

On the other side of the pond

In the meantime, there are relevant developments in the US, with legislative proposals and a key case before the US Supreme Court that will impact the rights of non-US persons.

On the legislative front, a bill called the International Communications Privacy Act (ICPA) is aimed at resolving uncertainty about when and how the US can get access to user data stored abroad.  A second proposal would let the US enter into data-access agreements with other countries, the first of which would be the United Kingdom.

At the US Supreme Court, a hearing on the “Microsoft Ireland” case will determine whether US courts can require a US-based service provider to produce the contents of a customer’s email account stored on a server located outside the United States, in this case Ireland. Due to its international implications, even the European Commission decided to weigh in, joining the numerous other organisations that have submitted an amicus brief. The Commission said that “given that the transfer of personal data by Microsoft from the EU to the US would fall under the EU data protection rules, the Commission considered it to be in the interest of the EU to make sure that EU data protection rules on international transfers are correctly understood and taken into account by the US Supreme Court”.

Hmmm — so now what happens with everyone’s two cents?

As the next step of the EU legislative process on this matter, the Commission should publish an impact assessment as well as the responses of all stakeholders in the public consultation. The process would normally be stretched over the period of several months, but due to the political pressure on this file and the time pressure for dealing with any new legislation, the Commission has promised to publish the legislative proposal next month, in the first quarter of 2018.

Access Now has been following this discussion since the encryption talks last year, and we have been heavily engaging with the Commission throughout the consultation process. We are closely monitoring the situation, and we will continue to update this blog with more information as it rolls in.

Needless to say, if this proposal arrives without strong human rights protections, you will be hearing a lot more from us.