The planned EU e-Evidence regulation is intended to force Internet service providers to cooperate more with police and judicial authorities. However, a survey shows that the companies already comply with their requests voluntarily. But they are often incorrect and thus rejected.
The police from Germany, France and Great Britain request by far the most data from Internet service providers. This is the result of a study by the SIRIUS project, which Europol has published on its website. 38% of all requests (67,991) come from German authorities. Although the so-called G6 countries (Germany, France, the UK, Poland, Spain and Italy) represent half of the EU population, their authorities are responsible for around 90% of crossborder internet surveillance activities.
The SIRIUS platform located at the police agency Europol in The Hague is intended to facilitate the exchange of knowledge on electronic evidence. Via a secure connection, authorities in all EU member states can obtain information on how to query Internet service providers. This applies to traffic, user and content data, which are released in different ways. SIRIUS also contains instructions for “Open Source Internet Searches” (OSINT) and for conducting queries on user data from various service providers. This enables the persons behind IP addresses or mail accounts to be determined.
Requests 66% successful
The SIRIUS survey for 2018 is based on information provided by law enforcement authorities from 24 Member States, with only Estonia, Luxembourg, Malta and Romania not responding. Transparency reports from 12 ISPs (Airbnb, Apple, Automattic, Cloudflare, Dropbox, Facebook, Google, LinkedIn, Microsoft, Oath, Snapchat, Twitter) were also analysed.
Legislation on the release of electronic evidence varies from country to country, and some providers also differentiate between criminal or civil proceedings when complying with requests. Most service providers are located in the USA, where requests for traffic data (connection protocols, IP addresses, number of messages) and user data (name, e-mail, telephone number of subscribers) can be adressed directly to the companies. Most requests were sent to Facebook (30%), Google (26%) and Apple (24%). Their compliance is currently still voluntary, but according to the study they are nevertheless successful in the police sector with an average of 66%.
In emergencies, traffic and user data can also be queried in the context of so-called “Emergency Disclosure Requests” (EDR). US legislation defines this as a situation in which a person is at risk of death or serious injury. In this case, the information may be released to foreign law enforcement and judicial authorities within minutes or hours. These emergency requests are obviously also abused: According to the SIRIUS report, the UK accounts for 67.5% of all urgent requests (6,158), followed by Germany with only 8.2% (749). The most urgent requests were received by Facebook (53%), Google (20%) and Twitter (14%).
The study also includes information on why requests by Internet service providers were refused. In many cases, this means that invalid identifiers are transmitted, including wrong or incorrect e-mail addresses, telephone numbers, URLs or user names. Some companies complain about excessive requests, which would lead to the disclosure of a very large number of users. Authorities would often dispense with justification or forget to refer to the valid legal basis. Nevertheless, “all available data” on users is often requested. Some data (such as profile pictures) are simply not available from the providers, which is why they react with a refusal.
Mutual legal assistance for content data
If an application is rejected, mutual legal assistance remains. The prosecuting or judicial authorities then adress their applications to the public prosecutor’s offices of the executing state. The European Union has concluded such a mutual legal assistance agreement with the US government, for example. This normal legal procedure is also prescribed if content data (photos, audio and video files, mail and messenger data) is demanded.
However, according to half of all investigators interviewed in SIRIUS (49.7%), the procedure takes too long, averaging about 10 months. Often the legal assistance also runs into nothing because the content data is no longer stored on the companies’ servers. The requesting authorities can indeed make a request to retain the individual data records until legal action is taken. But this is often forgotten.
Investigators cannot speak English
The SIRIUS study shows that the release of electronic evidence for traffic and user data largely works. If requests are refused, this is usually due to unprofessional requests from the requesting authorities. Their uncertainty is also evident in the survey. According to the study, 22% of those who responded find it difficult to make the request concrete at all. Often technical knowledge is also lacking, for example when the answers have to be processed. Many investigators also complain about communication in English.
Although the Internet service providers are thus willing to cooperate, the orders to capture and hand over electronic evidence are now to be settled in two new EU regulations. Then, requests for content data will also be allowed to be made directly to the companies. At least this is how the Commission formulated it in April 2018 in its proposal for an e-Evidence Regulation. A year ago, the Council also confirmed this position. It specifies that the issuing state should only inform the state in which the Internet service provider concerned has its registered office of a measure. This so-called notification procedure excludes the possibility of rejecting the order.
Moving away from the territoriality principle
The planned e-Evidence Regulation on the preservation and release of electronic evidence is to apply to all criminal offences. In this way, Polish public prosecutors’ offices could monitor anti-abortion activists abroad, and the Spanish police could demand the disclosure of e-mail accounts from opposition politicians in exile. This distinguishes the regulation from a directive such as the EU arrest warrant, which may only be used for certain offences. Judicial authorities in the executing state then check whether the conditions are met or whether a double punishment exists. This is also provided for in the already existing Directive on the European Investigation Order (EIO), which could also be used for the handing over of electronic evidence.
The new EU Parliament will discuss the e-Evidence Regulation for the first time in February in the responsible Committee on Civil Liberties, Justice and Home Affairs (LIBE). Many MEPs are particularly critical of the cross-border retrieval of content data. A European freezing and release order of digital data would also call into question the territoriality principle, according to which the executing state can no longer protect the fundamental rights of its citizens without reviewing the requests.
US authorities want to intercept legally in Europe
After a first vote in the LIBE Committee, the trilogue negotiations between Parliament, Council and Commission on the e-Evidence Regulation should begin. A quick conclusion is unlikely, so that the negotiations will fall into the German EU Council Presidency in the second half of 2020.
Although no parliament has yet dealt with the e-Evidence Regulation, the EU Commission is already negotiating with the United States on orders even across EU borders. The governments of the EU member states had already granted a corresponding mandate in summer, even before the election of the new EU Parliament. The Council wants an inclusion in the so-called CLOUD Act, with which the US government forces domestic Internet service providers to cooperate.
The US judicial authorities are open to such a framework agreement, but in return demand that content data be queried in the European Union. This would include real-time interception when telecommunications are carried out over the Internet. Such interception of packet-switched traffic would thus even go beyond the European e-Evidence Regulation.
Image: The SIRIUS platform at Europol (Europol).