Inconsistent Rules for Supplying Digital Evidence Complicates Cross-Border Police Work

It says something about the state of Europe’s digital economy that its law enforcement bodies submit 76 percent of their requests for digital evidence to three US firms: Google, Facebook and Microsoft. Perhaps the European prosecutors and police officers should be glad to rely on US rules and customs for sharing personal data given some of the findings of the second annual EU Digital Evidence Situation Report of the SIRIUS project, a Europol initiative set up in 2017 to support digital cross-border investigations. Their survey of online service providers (OSPs) found that some European countries prohibit businesses from responding directly to requests for digital evidence from foreign authorities. But whilst 14.7% of survey respondents said they were explicitly prohibited from responding to direct requests from overseas bodies, another 38.2% said they would not do it even though they knew of no regulation that tells them not to.

The two-way process of voluntary cooperation entails that for every data disclosure request directly submitted to a foreign-based company, a response could involve production and handing over of information. Reversing the situation and looking at it from the perspective of the addressees: are OSPs – assuming it is part of their internal policies – allowed by their national legal frameworks to comply with direct requests coming from foreign-based authorities? Even before reporting whether they are allowed or not, it is interesting to notice how a vast majority of the respondents (82.3%) stated how this matter lacks regulation in their respective national legal frameworks, as opposed to the 17.6% of the cases where legislation is in place.

The result is a bizarre split where slightly under half of OSPs will provide digital evidence in response to a request from foreign law enforcement, though only 2.9% do so because there is a law that says they can. In contrast, 52.9% of OSPs will refuse to provide digital evidence in the same circumstances. This must be galling for police forces who will have an equal interest in catching criminals no matter where their personal data is held.

It may be possible for law enforcement to get the evidence they need via a request to a corresponding authority in the country which has the data. However, every delay reduces the chances of success because OSPs are also obliged to delete old data.

EU judicial representatives were requested to identify the three most challenging aspects faced while contacting foreign OSPs in the context of requests for electronic evidence under voluntary cooperation. As per the result presented in last year’s overview, the predominant issue, pinpointed by the 70.6% of respondents, lamented the short data retention periods of the information collected after a preservation request / order is submitted to the companies by EU competent authorities.

The issue of timeliness is also the main concern when European bodies use official channels to obtain digital evidence from the USA.

When asked to identify the main problems encountered with Mutual Legal Assistance processes towards competent authorities in the United States, EU judicial authorities surveyed reported almost unanimously (94.1%) the long time needed for MLA procedures as the most challenging issue encountered in 2019.

However, the report also noted that the US authorities will take informal measures to speed up processes in particular cases.

There is also inconsistency in whether OSPs can charge law enforcement bodies for the work being done on their behalf, and whether the OSPs actually choose to levy charges when legally permitted to do so.

Looking ahead at possible future challenges that could have a role in the process of request and disclosure of electronic information, two dedicated questions focused on the so-called cost-reimbursement system which entails that OSPs may seek reimbursement for costs in responding
to authorities requests for information as provided by law or domestic legislations.

The comparative analysis of the feedback received on the matter shows that the majority of respondents does not have a cost reimbursement system in place (67.7%) and never received a demand for compensation of the costs associated to reply to a production order (91.2%). Opposite answers to both questions, despite being a minority, demonstrate, on the other hand, that such a mechanism does exist yet its application is quite sporadic.

More consideration needs to be given to efficiently determining the price and settling the amounts owed for such services. Though businesses may have been prepared to absorb the cost up to now, the report begins by stating that the importance of electronic evidence “is increasing exponentially over time”. This will inevitably prompt questions if the costs of supplying all this evidence keeps rising too.

Most of the data requested by law enforcement focused on key essentials about a subject’s identity.

Results show that the five most important datasets in criminal investigations are: IP address used at registration, e-mail address, phone number, name and connection logs (data, time and IP address of connection)…

Though less common, there was also significant demand for kinds of data that have greater implications for privacy, and hence will be subject to different legal protections in each country. This data includes: billing and payment data; the location of the user’s device; and the content of user files stored in a digital format such as text, voice and images.

The 68-page report is a detailed read but worth the time for anyone responsible for the liaison between law enforcement agencies and businesses that have lots of personal data, even if they are not based in the European Union. Most of the issues identified in the report are universal in nature, and will grow in significance because police and prosecutors will require more digital evidence in future.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.