The European Commission is thinking… about government hacking

Image source: Pixabay

Mutual legal assistance treaties (MLATs) are the globally accepted system for law enforcement to access data (often stored in a jurisdiction far, far away) for criminal investigations. We have been extensively covering the failings of the existing system (and there are many), but we firmly believe that any effort to ease access to data should focus on reforming the MLAT process, resolving shortcomings, and strengthening fundamental right safeguards.

The European Commission has recognised the need to address the flaws in the MLAT process so it has launched an investigation into cross-border access to “e-evidence” both within and beyond the EU, with a goal to simplify and optimise the malfunctioning process.

As a part of this investigation, the Commission has published a detailed technical paper and a shorter non-paper, in which they explain their findings and outline next steps — both practical and legislative. The Commission is conducting regular meetings with stakeholders, including civil society, with impressive frequency. Access Now submitted a brief paper that highlights the human rights implications of their current thinking; in it we argue for greater legal clarity, consideration of the existing European Investigation Order, a need to address the human right implications of government hacking, and more.

The  Commission explores three main methods for cross border access to digital evidence:

  • Formal cooperation channels between authorities of the different countries such as MLATs in the international and the European Investigation Order in the EU context;
  • Direct cooperation between a law enforcement authority of one country and service providers whose main seat is in another country;
  • So-called direct access.

Direct cooperation and direct access

Seemingly, for the EU Commission, MLATs are a bureaucratic nuisance of the past, even though there are plenty of suggestions on how to reform the MLAT system. The Commission instead dedicates plenty of space to the terms ‘direct cooperation’ and ‘direct access’.

Direct cooperation means that law enforcement or judicial authorities do not have to go through their counterpart agency in the other country where they seek evidence in order to obtain evidence. Instead, the authorities can request the data directly from the service provider such as Facebook or Vodafone.  

This avenue has been the focus of the Commission’s investigation, because law enforcement is increasingly frustrated with the administrative loops they have to jump through to reach service providers — understandably. However, the process dismisses and  circumvents the existing European Investigation Order (EIO) which at least provides for a baseline respect for fundamental rights and safeguards. Therefore, at the moment, we oppose the development of a framework within the EU that is built on direct cooperation, bypassing the current legal framework, unless it is built from the ground up with necessary human rights protections and strictly limited to situations where the use of extraordinary process is justifiable.

The other legislative piece is what the Commission has dubbed as ‘direct access to e-evidence’, in which the Member States already engage (there was a survey and a report on it). There should be no doubt that the process described by the Member States and the Commission in its paper, de facto, amounts to government hacking; a virtually invisible process which Access Now has repeatedly argued desperately needs to be subject to affirmative human rights safeguards, transparency, and accountability. The Commission introduces plans to legislatively anchor a notification obligation to other affected countries (within the EU) if and when the Member States law enforcement engages in such an operation, yet it fails to acknowledge and to address the potential unlawfulness of such a process. Instead, the Commission exempts itself from responsibility by stating that the [government hacking] framework “would essentially leave it to each Member State to provide for a competence of its authorities to perform extended or remote searches”.

So while we’re excited that there is an acknowledgement of the need to anchor government hacking into transparent legislation, the current thinking of the Commission doesn’t even begin to cover what needs to be done. And if you’re wondering why the Commission should care what EU countries do — well — it is the responsibility of the Commission as the Guardian of the Treaties (not to be confused with Guardians of the Galaxy —  there is no tiny Groot to be found in Brussels… I checked) to investigate national practices and potential violations against the European Charter of Fundamental Rights in this matter.

No backdoors – we’d like to use the window!

The second part of the day was dedicated to encryption. Some of you may recall our coverage last November/December when the Justice and Home Affairs Ministers first started voicing their opinions that encryption was a problem. After our meeting we can conclude that the Commission doesn’t want to weaken encryption or create backdoors (yay! Apparently too many people complain that way), instead, the conversation was based entirely around Schneier-Kerr paper Encryption Workarounds which lead us straight back to the conversation around government hacking. And with their promise that we can expect something in the fall of 2017, we should anticipate the EU is cooking up legislation around government hacking — whether they call it that or not.

We will continue working with the Commission and following this process closely over the coming months. While we have our reservations about the current focus, this process has been inclusive, engaged, and the Commission has truly created a regular dialogue with service providers as well as civil society, all of which we warmly welcome and hope will set a precedent for similar processes in the future.


Further reading from Access Now: