Weitere Kapitel dieses Buchs durch Wischen aufrufen
The chapter describes an overview of the current situation in the EU with respect to matters not yet solved regarding communication interception systems and electronic data retention, also based on direct and personal experience of the author who is a public prosecutor. A state of the art on this topic is well described also focusing on some experiences and cases experimented by the Italian authorities when dealing with VOIP Systems and the cross-border acquisition of such information as probative values in the investigation phase. After having summarised the technological landscape with which investigators must deal in their daily activities fighting (not just organised) crime, the author tries to answer to the practical question of what can be done to overcome the legislative gap. Some solutions are given also considering the current scenario taking place in the USA with respect to the same issues and barriers.
Bitte loggen Sie sich ein, um Zugang zu diesem Inhalt zu erhalten
Sie möchten Zugang zu diesem Inhalt erhalten? Dann informieren Sie sich jetzt über unsere Produkte:
VOIP are all those services that, in fact and as can be understood from the literal definition, use the Internet as a vocal communication channel.
It is worth noting that despite this acquisition, the company Skype Communications SARL in fact continues to maintain policies that are different from those of Microsoft Corp. concerning judicial authorities.
Regarding this matter see MCCULLAGH, “Skype: We can’t comply with police wiretap requests”, in news.cnet.com (9.6.2008).
The basic concept of end-to-end encryption is creating for each party a secret key (known only by the other party) and a public key that the party “publishes” in directory services to allow others to speak securely with him. That which is encrypted with the public key can only be decrypted with the secret key.
From the point of view of cryptographic algorithms, end-to-end encryption is based on asymmetric cryptographic systems, the first commercially available product being RSA’s free version called PGP, an implementation of an RSA system with free code (at the time these algorithms were protected by the US DOD and the author, who developed the program and then made it public, was convicted and sentenced to serious time).
Cited by Stecklow et al. ( 2011): “ The Skype communication system... counts as a safe and encrypted Internet communication system to which most extremist groups have resorted to communicate with each other”.
On this point it is interesting to recall that in June 2011 the US Patent and Trademark Office (USPTO) published the patent application—filed by Microsoft in December 2009—that describes a way to legally intercept VoIP calls, explicitly mentioning Skype as an example.
Mensurati, Tonacci, I boss si parlano su Skype, impossibile intercettarli, in www.repubblica.it (14.2.2009).
Mensurati, Tonacci, Boss e intercettazioni, Skype sotto accusa, in www.repubblica.it (15.2.2009).
Letter dated 27 February 2009.
Note of the Deputy Prosecutors Ferdinando Pomarici (coordinator of the District Anti-Mafia Directorate) and Armando Spataro (coordinator of the counterterrorism pool).
Mensurati, Tonacci, Skype collaborerà con la polizia per inseguire i criminali sul VoIP, in www.repubblica.it (27.2.2009).
On this point see the effective journalistic reconstruction of GRIMALDI, “Due giorni di misteri, poi l’esecuzione”, in www.corriere.it (6.4.2008).
One must remember this fundamental point: the fact that the providers cannot “enter” into the communications between the two parties, especially because in most cases the traffic does not pass through their servers, does not mean that they cannot make it available. In fact, the telecom operators manage the most important information, i.e., the public keys and the cryptographic algorithms in their code. End-to-end encryption provides for the possibility of introducing “escrow keys” in the programming code, even “hidden” and not easily detectable by third parties.
For the constant exchange of views regarding this matter, I’d like to thank Maurizio Bedarida (one of the two technical consultants of the Milan Prosecutor’s office indicated in the text of this paragraph).
The origin of this definition should be drawn from the paper shown in the first “Strategic meeting on Cybercrime”, organised by Eurojust in Athens on 23–24 October 2008: see Cajani ( 2009).
It is evident that there are no problems of jurisdiction where the prosecution is able to tell the magistrate for preliminary investigations that the communications needing to be intercepted are taking place between two Italian citizens or in any case between two people within the country’s borders, regardless of whether—accidentally—these conversations go through a server located abroad.
See LUMB, “Why Apple Is Spending $1.9 Billion to Open Data Centers in Denmark and Ireland”, in www.fastcompany.com (23.2.15).
The news practically travelled around the world: see among many LOHR, “Microsoft Protests Order to Disclose Email Stored Abroad”, in www.nytimes.com (10.6.2014).
Otherwise it would be necessary to first seek phone records of the number used for the connection to the Internet (to identify the service provider) and then to plan, in consultation with the provider, the deployment of the so-called probes (technically necessary to intercept the useful traffic). Overall these operations can reasonably take up to a whole week!
More precisely, based on the principle of Net Citizenship, the user could choose which legislation the email account would be subject to when registering for a @yahoo email account. Only in the cases in which the user had chosen Italian legislation would the mentioned software allow the immediate interception where necessary for investigative purposes and authorised by the order of the Criminal Investigation Department.
The case arose from a @yahoo.it account subjected to interception—in the manner permitted by the Yahoo! Account Management Tool—without any result (i.e., the Criminal Investigation Department received nothing on the account that had been set up). After the arrest of the suspect (a phisher from Romania), the same during an interrogation and in the presence of the counsel for the defence gave the prosecutor the access credentials to his account (i.e., the one that had been intercepted without success). It was then discovered to their surprise that instead there were many messages available, received in the period in which the account had been subject to interception. Subsequent investigations of the Guardia di Finanza—Gruppo Pronto Impiego (Italian Fiscal Police) of Milan positively established that the Tool could actually be accessed by many within the various European subsidiaries of Yahoo!, compromising users’ privacy (and not only for inquiries of Criminal Investigation units). The documentation was sent to the Italian Data Protection Authority, which confirmed the technical findings and the legal argument of the Prosecutor of Milan. See Ferrarella, Buco’ nei controlli in Rete. I pm mettono in regola Yahoo”, in www.corriere.it (30.10.2008).
Significantly, in 2008, while in Italy it was actually possible to intercept an @yahoo.com email account, in Belgium to the contrary the American company denied any form of cooperation with judicial authorities requesting access to data traffic. This fact was at the origin of the famous “Yahoo! Case” that, after 7 years, finally saw the Belgian Federal Prosecutor’s Office victorious in the Court of Cassation. See Roland, Court of Cassation definitively confirms Yahoo!’s obligation to cooperate with law enforcement agencies in www.stibbe.com (7.1.2016). Regarding the various policies of American ISPs and the number of requests for data from the Member States of the Council of Europe see the paper of the T-CY Cloud Evidence Group entitled “Criminal justice access to data in the cloud: cooperation with ‘foreign’ service providers” in www.coe.int/web/cybercrime.
From the European legislation on electronic communications also derives the legislative decree of 1 August 2003, no. 259—Italian Electronic Communications Code.
And precisely: Directive 2002/19/EC of the European Parliament and of the Council, 7 March 2002 regarding access to electronic communications networks and associated resources, and interconnection of the same (Access Directive); Directive 2002/20/EC of the European Parliament and of the Council of 7 March 2002 on the authorisation of electronic communications networks and services (Authorisations Directive); Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 establishing a common regulatory framework for electronic communications networks and services (Framework Directive); Directive 2002/22/EC of the European Parliament and of the Council of 7 March 2002 on universal service and users’ rights relating to electronic communications networks and services (Universal Service Directive).
In particular see the provisions of Article 6 of Directive no. 20/2002 regarding the obligation to make available the interception of communications, as a condition for issuing ministerial authorisation to the operator concerned to operate in the country. On this point it seems appropriate to recall, once again, how the Ministry of Economic Development—Telecommunications with a notice dated 12 September 2008 had expressed a written opinion, upon special request of the National Anti-Mafia Directorate, according to which Skype connections be included in the provisions of Italian Legislative Decree 259/2003 and therefore subject to the general authorisation referred to in Article 25. It is therefore possible to speak of “operator” in accordance with Article 1 letter u) of Italian Legislative Decree 259/2003, a concept which, moreover, is itself very broad in that it refers not only to “a company that is authorised to provide a public communications network” but even where the same provides “a similar resource”.
To this end, in December 2014 was established the T-CY Cloud Evidence Group, in which Italy also participates ( www.coe.int/en/web/cybercrime/ceg). Regarding the outcome of the work of the T-CY Cloud Evidence Group, see the paper entitled “Criminal justice access to data in the cloud: Recommendations for consideration by the T-CY” in www.coe.int/web/cybercrime.
See the press release entitled “Fight against criminal activities in cyberspace: Council agrees on practical measures and next steps” in www.consilium.europa.eu (9.6.2016).
See the United Sections of the Court of Cassation, sentence 1 July 2016, no. 26889: although limited to one of the many features of the trojan (and, in particular, the possibility to activate the microphone of a mobile phone or a of portable computer also in a private place where the crime under investigation is not committing to intercept all the conversation of the people present in this place), it indicates some more key points that—after 7 years from the first Supreme Court judgment (Section V of the Court of Cassation, sentence 14 October 2009 no. 16556) that had begun to outline the legal regime—allow to state the legitimacy of its use, despite criticism promoted by a lot of people. The sentence concludes for the admissibility of an environmental interception with the trojan when the public prosecutor is investigating an organised crime (according to Article 13 of Law 203/1991 that consents, for this important crime, the environmental interception also in the private place even if the crime under investigation is not committing there). For the other crimes Article 266.4 of Italian Criminal Procedure Code provides the admissibility of such type of interception only if in the private place is committing the crime under investigation, and so is not admissible a trojan able to activate an environmental interception everywhere.
Gerard E. Lynch.
See also Henning, Microsoft Case Shows the Limits of a Data Privacy Law, in www.nytimes.com (18.7.2016).
“Content data” is not defined in the Convention but refers to the communication content of the communication; i.e., the meaning or purport of the communication, or the message or information being conveyed by the communication (other than traffic data)”: thus paragraph 209 of the Explanatory Report to the Budapest Convention on cybercrime.
“For this article, the term “subscriber information” means any information contained in the form of computer data or any other form that is held by a service provider, relating to subscribers of its services other than traffic or content data and by which can be established: a the type of communication service used, the technical provisions taken thereto and the period of service; b the subscriber’s identity, postal or geographic address, telephone and other access number, billing and payment information, available on the basis of the service agreement or arrangement; c any other information on the site of the installation of communication equipment, available on the basis of the service agreement or arrangement”: thus Article 18.3 Budapest Convention. Paragraph 178 of the Explanatory Report to the Budapest Convention explains that subscriber information may be needed for a criminal investigation “primarily in two specific situations” - “First, subscriber information is needed to identify which services and related technical measures have been used or are being used by a subscriber, such as the type of telephone service used (e.g., mobile), type of other associated services used (e.g., call forwarding, voice-mail, etc.), telephone number or other technical address (e.g., e-mail address)” - “Second, when a technical address is known, subscriber information is needed in order to assist in establishing the identity of the person concerned”. Paragraph 178 goes on stating that “other subscriber information, such as commercial information about billing and payment records of the subscriber may also be relevant to criminal investigations, especially where the crime under investigation involves computer fraud or other economic crimes”. Paragraph 180 of the Explanatory Report clarifies the range of data to be considered as subscriber information: “Subscriber information is not limited to information directly related to the use of the communication service. It also means any information, other than traffic data or content data, by which can be established the user’s identity, postal or geographic address, telephone, and other access number, and billing and payment information, which is available on the basis of the agreement or arrangement between the subscriber and the service provider”.
“ ‘traffic data’ means any computer data relating to a communication by means of a computer system, generated by a computer system that formed a part in the chain of communication, indicating the communication’s origin, destination, route, time, date, size, duration, or type of underlying service”: thus Article 1.d Budapest Convention. As already shown in the EU Forum on Cybercrime Discussion Paper for Expert’s Meeting on Retention of Traffic Data (6 November 2001): “To investigate and prosecute crimes involving the use of the communications networks, including the Internet, law enforcement authorities frequently use traffic data when they are stored by service providers for billing purposes. As the price charged for a communication is becoming less and less dependent on distance and destination, and service providers move towards flat rate billing, there will no longer be any need to store traffic data for billing purposes. Law enforcement authorities fear that this will reduce potential material for criminal investigations and therefore advocate that service providers keep certain traffic data for at least a minimum period of time so that these data may be used for law enforcement purposes”.
In the experience of some Italian investigations, Microsoft was the first to provide—without a rogatory but only with a request from the Italian Public Prosecutor—such data, not only regarding @hotmail.it accounts but also @hotmail.com. At first, Google considered a rogatory to be necessary, but it changed its policy after the Google vs. Vividown case, and now provides all the data required if the request comes with an order from the Italian Public Prosecutor (not only from the Italian Criminal Investigation Department). Nevertheless, if an IP address (logged by the Google electronic systems concerning an e-mail @gmail.com) is not related to an Italian or an European server, currently the company does not maintain to be allowed to communicate it to the Italian Judicial Authority.
See the paper of the T-CY Cloud Evidence Group entitled “Criminal justice access to data in the cloud: cooperation with ‘foreign’ service providers”, cit.
For a hypothesis of criminal sanction regarding the ISP’s refuse to communicate the data see Article 46bis (§2) of the Belgian Code of Criminal Procedure, stating: “§1. In investigating the crimes and misdemeanours, the Public Prosecutor may, by means of a motivated decision in writing, if necessary by summoning the cooperation of the operator of an electronic communications network or the provider of an electronic communications service or a police department appointed by the King, proceed or order to proceed based on any data in his possession or by means of access to the operator’s or service provider’s customer files, to: 1 ∘ the identification of the subscriber or the regular user of an electronic communications service or the used electronic medium of communication; 2 ∘ the identification of the electronic communications services to which a specified person is subscribed or which are regularly used by a specified person. The motivation reflects proportionality, with respect for the privacy and subsidiarity, compared to any other act of inquiry. In case of extremely urgent necessity, any officer of the criminal investigation department may summon to receive these data by means of a motivated decision in writing, after prior verbal authorisation from the Public Prosecutor. The officer of the criminal investigation department shall communicate this motivated decision in writing and the acquired information within 24 h to the Public Prosecutor and motivates the extremely urgent necessity. §2. Any operator of an electronic communications network and any provider of an electronic communications service that may be summoned to communicate the data as referred to in paragraph 1, is to provide the data that were requested to the Public Prosecutor or the officer of the criminal investigation department within a period to be determined by the King, upon proposal from the Minister of Justice and the Minister in charge of Telecommunications. The King defines, upon advice from the Commission for the protection of privacy and upon proposal from the Minister of Justice and the Minister in charge of Telecommunications, the technical conditions for access to the data as referred to in §1, that are available for the Public Prosecutor and for the police department as indicated in the same paragraph. Any person that may become aware of the measure because of being served or that may participate in the same, is bound by secrecy. Any violation of secrecy shall be sanctioned in accordance with Article 458 of the Penal Code. Any refusal to communicate the data shall be sanctioned with a pecuniary penalty of twenty-six Euros up to ten thousand Euros.”.
That the issue is still under debate is evidenced by the observations of some countries (Canada, Germany, Japan, Slovakia and USA) contrary to a broad interpretation of Article 18.1.b of the Budapest Convention in view of the adoption of the associated Guidance Note, in the documentation of the T-CY 16th Plenary—item 5: www.coe.int/en/web/cybercrime/t-cy-plenaries. On 1 February 2017 Cloud Evidence Group (together with representatives of Canada, France, Germany, Japan, Liechtenstein, Slovakia and USA) reached agreement on a shared text. So the “Guidance Note on production orders for subscriber information (Article 18 Budapest Convention)”, subject to a new written approval process without any further comments were adopted on 28 February 2017: www.coe.int/en/web/cybercrime/-/t-cy-adopts-guidance-note-on-article-18.
“Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to order: a. a person in its territory to submit specified computer data in that person’s possession or control, which is stored in a computer system or a computer-data storage medium; and b. a service provider offering its services in the territory of the Party to submit subscriber information relating to such services in that service provider’s possession or control”: thus Article 18.1 Budapest Convention.
Zurück zum Zitat Cajani F (2009) Interception of communications: Skype, Google, Yahoo! and Microsoft tools and electronic data retention on foreign servers: a legal perspective from a prosecutor conducting an investigation. Digital Evid Electron Signature Law Rev 6:158 and following Cajani F (2009) Interception of communications: Skype, Google, Yahoo! and Microsoft tools and electronic data retention on foreign servers: a legal perspective from a prosecutor conducting an investigation. Digital Evid Electron Signature Law Rev 6:158 and following
Zurück zum Zitat Cajani F (2010) La Convenzione di Budapest nell’insostenibile salto all’indietro del Legislatore italiano, ovvero: quello che le norme non dicono. Ciberspazio e diritto 11:207 and following Cajani F (2010) La Convenzione di Budapest nell’insostenibile salto all’indietro del Legislatore italiano, ovvero: quello che le norme non dicono. Ciberspazio e diritto 11:207 and following
Zurück zum Zitat Stecklow S, Sonne P, Bradley M (2011) Mideast uses western tools to battle the skype rebellion in online.wsj.com (1.6.2011) Stecklow S, Sonne P, Bradley M (2011) Mideast uses western tools to battle the skype rebellion in online.wsj.com (1.6.2011)
- “All Along the Watchtower”: Matters Not Yet Solved Regarding Communication Interception Systems and Electronic Data Retained on Foreign Servers
- Chapter 5