Tag Bulk interception

The future of data driven investigation in light of the Sky ECC operation

jjoerlemans Een reactie plaatsen

In our article, ‘The future of data driven investigations in light of the Sky ECC operation’, we examine whether or not, and on what terms, there is a future for data driven criminal investigations.  To answer the research question, we identified the main characteristics and legal criteria for data driven investigations. We use the Sky ECC operation to contextualise data driven investigations. The legal criteria are derived from the right to privacy and the right to a fair trial. Finally, we examine the impact of a violation of these criteria for the use of evidence in criminal proceedings.

The full article is published in open access in the New Journal of European Criminal Law (.pdf). It is part of a thematic issue ‘Bridging the Regulatory Disconnection Between Data Collection and Data Analysis in Criminal Investigation’. In this blog post, we share our main findings.

The Sky ECC operation

Sky ECC is an app on so-called cryptophones, which were widely used by individuals involved in organised crime. The app used encryption techniques to communicate more securely and entailed additional features to anonymise its users.

French, Dutch and Belgium law enforcement authorities cooperated in a Joint Investigation Team (JIT) to gather evidence about the criminal activities of Sky Global and its users and share technical knowhow. In our article we explain the events of the operation as detailed as possible. Most notably, French law enforcement authorities were able to collect and decrypt messages and other data sent by Sky ECC cryptophones from 18 December 2020 until presumably approximately 9 March 2021.

According to Belgian law enforcement officials, 1 billion (!) messages were intercepted by French law enforcement authorities in France and shared with the JIT partners. At least 500 million messages of this ‘bulk interception’ were decrypted within the first month. We believe that these messages represent a treasure trove or “jackpot” for law enforcement authorities, due to the potential evidence of crimes and intelligence that can be derived from them. Law enforcement officials have made similar statements in interviews.

Therefore, the Sky ECC operation is a prime example of a data driven investigation. This type of investigation involves the processing of data that has been collected by law enforcement authorities in an earlier phase, which is then enriched, and linked with other data for future investigations. Of course, the bulk collection and subsequent analyses of data for use of evidence, raises questions relating to the right to privacy and the right to a fair trial.

  1. Right to privacy

In our article, we examine the privacy interference in an operation such as Sky ECC and identify which minimum safeguards the European Court of Human Rights (ECtHR) would probably require in a (future) case involving this type of operation. We explain that the bulk collection in Sky ECC significantly interferes with the right to privacy and the ECtHR would probably require at least the same safeguards as identified in the case of Big Brother Watch and Centrum för Rättvisa.

We find it particularly noteworthy that the minimum safeguards do not only focus on the collection phase, but require safeguards during all phases, including the (further) processing of data. Obviously, only a warrant provided by a judge or independent authority to justify bulk interception of communications is not enough. With these minimum safeguards, the ECtHR makes clear that throughout the phases of bulk data investigations, principles of data protection regulations apply. Here, the ECtHR clearly establishes a connection between criminal procedural law and data protection law.

In order to minimise the risk of the bulk interception power being abused, the ECtHR emphasises the need for ‘end-to-end safeguards’. This entails the following key elements: (a) a necessity and proportionality assessment should be made at each stage of the process; (b) bulk interception should be subject to independent authorisation at the outset, when the object and scope of the operation are being defined; and (c) the operation should be subject to supervision and independent ex post facto review.

  1. Right to a fair trial

In our analysis of the right to fair trial, we focused on the ‘equality of arms’, a key principle of the right to a fair trial. The ECtHR has consistently judged that criminal procedure should be adversarial and that there should be ‘equality of arms’ between prosecution and defence. Building upon earlier work of others, we identified three main elements of the equality of arms in the context of the Sky ECC operation: (1) transparency; (2) reliability of evidence; and (3) access to datasets.

We noted that the use of algorithms, key word indexes, or network analysis techniques is rarely mentioned in case law. Yet, this information may be relevant when discussing the reliability of the evidence. Compared to earlier work, we made a more in-depth analysis regarding the issue of the reliability of evidence.

The legal evaluation of the authenticity and reliability of digital evidence, and therefore the opportunity for the defence to challenge digital forensics expertise, depends on the selected digital forensic process, methods, and tools for each forensic task. There must be sufficient documentation and possibilities to challenge the reliability of evidence. At the same time, we point out that Sky ECC messages are rarely the only source of evidence used to convict individuals of crimes. Oftentimes, additional sources of evidence are available, such as data production orders directed at telecommunication service providers to gather subscriber and location data, data production orders to gather passenger name records, seizing a suspect’s cryptophone, correlating the nicknames of suspects from other sources of evidence to Sky ECC messages, and, of course, obtaining testimonials or even confessions from suspects. Taken together, this may be factored in when assessing the reliability of evidence.

With regard to access to datasets, we reiterated that all information that is deemed relevant in a particular case and that can be used against the suspect in a criminal case (the tertiary dataset), should be disclosed to the suspect. In addition, the defence should have sufficient facilities (an ‘effective opportunity’) to access and analyse the data. The defence can request and should motivate why they require further access to the secondary dataset. When the Public Prosecution Service denies access to the data, it must motivate this refusal, for example by referring to ongoing (other) criminal investigations or the risk of reprisals for individuals who are also part of the dataset.

  1. Exclusion of evidence

In general, the ECtHR keeps aloof when it comes to the assessment of evidence, as this is rather a task for the national judges, especially assessing the admissibility or weight of specific pieces of evidence. In other words, the ECtHR provides for a large margin of appreciation on this matter by national judges. Nevertheless, some overall observations should be made.

In our article we first point out that the ECtHR has repeatedly found that evidence obtained through a violation of the right to privacy does not necessarily amount to a violation of the right to a fair trial. Hence, privacy violations should not lead to the exclusion of evidence and could have little to no impact on ongoing and future possible criminal cases. However, it is uncertain this will remain so, due to case law of the Court of Justice of the European Union.

Second, violations of the right to a fair trial may have serious consequences for the outcome of an investigation. Not only can evidence be excluded from the procedure, e.g., when evidence is not reliable, but a violation of the right to a fair trial can also render the procedure as a whole inadmissible or lead to the acquittal of suspects, e.g., when the defendant has not had proper access to the evidence.

Conclusion

The Sky ECC operation illustrates a law enforcement practice in which intelligence and criminal investigations have become intricately intertwined, potentially spawning hundreds, if not thousands, of criminal cases from a single activity involving bulk data collection.

We posit that Sky ECC may serve as a precursor to future operations in which law enforcement authorities target similar ‘grey infrastructures’, employing investigative techniques such as the seizure of servers, hacking, or the interception of communications, or all of these at the same time. However, law enforcement authorities must tread carefully on the fine line between intelligence gathering and criminal investigation. There is a danger that the main objective becomes a fishing expedition, because the sought-after data may be a treasure trove for other criminal investigations, but not sufficiently related to the investigation at hand. There is also the risk of a slippery slope, as it is unclear what proportion of criminal activity makes an infrastructure exactly ‘grey’ and thereby a potential target for law enforcement agencies.

When regulating data-driven investigations, the main take-away of our analysis relating to the right to privacy is that a warrant authorising the acquisition of the data is not a sufficient safeguard. The ECtHR requires that data protection regulations are also applied and overseen by independent and effective oversight bodies. Criminal procedural law, which regulates the collection of data, and data protection law, which regulates the processing of data, are connected and intertwined.We also emphasise that violations of the right to a fair trial may have serious consequences for criminal proceedings, since they may lead to the exclusion of evidence. Therefore, we anticipate an ongoing discourse on the transparency and reliability concerns in operations like Sky ECC.

Jan-Jaap Oerlemans & Sofie Royer

This is a cross-post from sofieroyer.be and Montaigne Centre Blog.

The necessity of a new cyberlaw for dutch intelligence and security services 

jjoerlemans

Growing cyber threats to Dutch national security reveal an urgent need to amend current  powers of intelligence and security services. The proposed “Cyber Act” aims to address these challenges by granting bulk interception and hacking capabilities, and by allowing for greater flexibility in the oversight process. However, further clarification is needed on the scope of the Act.

In my opinion, there is an urgent need for a new bill that amends the bulk interception and hacking powers of Dutch intelligence and security services. In this blog post, I share the essential points that I presented during a ‘round table hearing’ at the Dutch parliament on 5 April 2023. My original contribution (in Dutch) can be found here.

The (cyber)threat

The cyberthreat the proposed legislation aims to address should be completely clear. The Dutch General Intelligence and Security Service (AIVD) first reported about ‘digital infringements on Dutch vital ICT infrastructures’ in 2007. This message highlighting the risks of digital espionage to our national security has been reiterated in every annual report since 2013. These reports explicitly mention various victims of digital espionage, including Dutch ministries, telecom providers, universities, educational institutions, think tanks, and biotechnology companies.

Our Military Intelligence and Security Services (MIVD), as well as the National Cyber Security Centre (NCSC), have echoed these concerns. In fact, the NCSC considers the threat posed by ‘state actors’ to cybersecurity as the most significant among all threats, surpassing even the threats posed by criminal actors. 

The problem

In 2021, the Dutch intelligence and security services raised concerns regarding challenges they encountered in their cyber operations. These issues primarily stem from the “legality review” process conducted by the newly established Investigatory Powers Commission (TIB). The TIB is responsible for granting or denying warrants for investigatory powers, including bulk interception and hacking.

The proposed Cyber Act  

To address these challenges, a bill has been introduced, which I refer to as the ‘Cyber Act’. This proposed legislation specifically addresses bulk interception and hacking capabilities and proposes significant changes to the oversight system in the Netherlands. It is crucial to emphasise that the scope of the bill is limited to operations conducted by Dutch intelligence and security services that target the gathering of intelligence related to “offensive cyber operations of foreign states”. 

The aim of the proposed bill is to amend and partially shift the oversight of bulk interception and hacking as investigatory powers from the Investigatory Powers Commission (TIB) to the Dutch Review Committee on Intelligence and Security Services, allowing for greater flexibility for intelligence and security services. It seeks to establish a more dynamic oversight process that aligns with the technical realities of these powers. 

It is also noteworthy that the proposal grants the Dutch Review Committee on Intelligence and Security Services the (binding) power to halt an operation and (ultimately) order the deletion of unlawfully processed data when specific investigatory powers are employed. Currently, this oversight body lacks any binding authority in its task of overseeing intelligence and security services. Additionally, the proposed legislation introduces an appeals procedure for decisions made by the Dutch oversight bodies, enabling a judge to make the final determination regarding the legality of actions and decisions. 

Bulk interception 

Bulk interception serves as a notable example that illustrates how investigatory powers are amended in the Cyber Act. One significant challenge in the current application of bulk interception as an investigatory power is the disagreement between the intelligence and security services (and their responsible ministers who authorise these powers) and the Investigatory Powers Commission (TIB) regarding the level of focus that should be applied to bulk interception.

It is important to clarify that bulk interception is inherently non-targeted in nature. It involves the interception of large volumes of data (bulk) after it is collected at a specific location. This process differs from, for instance, wiretapping. With wiretapping, data associated with a particular identifying number, such as a telephone number or IP address is intercepted. Bulk interception captures a greater volume of data, including unidentified numbers that may be connected to potential national security threats. In a cybersecurity context, bulk interception can be used to collect intelligence about the IT infrastructure utilised by foreign actors engaging in covert activities on Dutch infrastructure.

The Cyber Act aims to do more justice to the untargeted nature of bulk interception, but solely within the context of gathering intelligence related to the threat of offensive cyber operations conducted by state actors that pose a risk to national security. While the bill includes numerous detailed provisions, which I will not delve into here, I believe the arguments put forth in support of the proposals are compelling. Therefore, it is in my view necessary to amend the law. In fact, I think we should consider an even more substantial role for intelligence and security services in combating cybersecurity threats.

Addressing the threat of cybercrime to national security

The issue of cybercrime posing a threat to national security deserves attention. I emphasised that the Dutch National Security Centre identified ransomware as a national security threat. I agree with this assessment, insofar ransomware attacks have severe economic consequences or disrupt vital infrastructures. Regrettably, we have already witnessed ransomware incidents targeting the Port of Rotterdam, hospitals, and municipalities in the Netherlands.

In the Netherlands, there is a strict separation between the investigation of criminal activities and the investigation of national security threats. It is evident to me that the Dutch Intelligence and Security Services should investigate ransomware attacks that pose a risk to national security. However, it remains unclear whether such investigations are currently being carried out. While the Dutch Cyber Act appears to primarily focus on state actors, I would appreciate clarification on whether it also encompasses ransomware activities conducted by criminal organisations.

This is a cross-post from my blog post on aboutintel.eu. It is part of a discussion prompt about the ‘Dutch Temporary Cyber Act‘, with contributions of Lotte Houwing and Bert Hubert.