A study entitled “Legal Frameworks for Hacking by Law Enforcement: Identification, Evaluation and Comparison of Practices” was published by the European Parliament’s Policy Department for Citizens’ Rights and Constitutional Affairs at the request of the Committee on Civil Liberties Justice and Home Affairs (LIBE). It presents policy proposals on the use of hacking techniques by law enforcement authorities. Based on the the maturity of the legal framework, public debate and practices, the proposals rely on a thorough comparative examination of the legal frameworks for hacking by Law Enforcement Agencies (LEA) across six EU Member States (France, Germany, Italy, the Netherlands, Poland and the UK) and three non-EU countries (Australia, Israel and the US). Even though the primary rationale behind the study is the international and EU-level debates on the issue of ‘going dark’ (i.e. the decreasing ability of LEA to access and examine evidence due to encryption), it builds its proposal based on failures of other alternatives such as backdoors and zero-day exploits.

The study examines the legal and practical balances and safeguards implemented at national level to ensure the legality, necessity and proportionality of restrictions to the fundamental right to privacy, the security of the internet, and to a lesser extent, the regulation of the sale of hacking tools. Based on these factors, the study highlights several key risk factors imposed by the use of hacking techniques by law enforcement:

Hacking techniques are extremely invasive, particularly when compared with traditional intrusive investigative tools (such as wiretapping and house searches), and this imposes a very high degree of risk to the fundamental right to privacy and freedom of expression and information without appropriate policies in place.

Use of hacking techniques has the potential to significantly weaken the security of the internet by “increasing the attack surface for malicious abuse”, with possible damage far beyond the intended target.

Given the global nature of the Internet, LEA (and service providers) may not know the physical location of the target data – this has resulted in the concept of “loss of knowledge of location”. In many such cases, the LEA may remotely access the data located in the jurisdiction of another country, which poses serious risks to territorial sovereignty. Most of the time, LEA breach jurisdictional boundaries unknowingly due to confusing nature of the internet infrastructure and lack of concrete procedures for mutual legal assistance in cross-border investigations.

In the recent past, many civil society organisations (including EDRi members) have questioned the current dual-use export control regimes.

The study further compares the provisions for legal frameworks and their context by evaluating the technical means of hacking and the fundamental rights considerations in order to derive both benefits and risks of the use of hacking techniques by law enforcement. It is found that all the EU Member States examined for the study supplement the common types of ex-ante and ex-post conditions with different, less common, conditions. Some of the key ex-ante considerations include:

judicial authorisation for law enforcement hacking;

restriction on the use of hacking tools based on the gravity of crimes which are limited either by a list of crimes for which hacking is permitted, or they are limited by the maximum custodial sentence of greater than a certain number of years, along with the restriction on the duration for which hacking may be used.

Some of the key ex-post considerations include:

provision for the notification of targets of hacking practices and remedy in cases of unlawful hacking; and

report through logging hacking activities for review and to identify the oversight mechanisms.

The study highlights some of the criticisms in each country’s legal provisions for hacking, for example, the lack of knowledge amongst the judiciary in France, Germany, Italy and the Netherlands; unclear definition of devices that can be targeted in the Netherlands; and the inefficient process for screening and deleting non-relevant data (in Germany). It also underlines some of the good aspects of the provisions, such as the 2017 Italian draft law’s efforts to protect against the overuse or abuse of a hacking tool’s extensive capabilities by separating the functionalities of the tools, and Dutch Computer Crime III Bill’s mandates on the need to conduct a formal proportionality assessment for each hacking request, with strict rules on the authorisation and expertise of the investigation officers that can perform hacking.

Based on the above analysis, the study derives twelve actionable policy proposals and recommendations. The proposals highlight the fact that the European Parliament should pass a resolution calling on the Member States to conduct a Privacy Impact Assessment when new laws are proposed to permit and govern the use of hacking techniques by LEA with clear and precise legal basis. The Parliament should support efforts to evaluate and monitor lawful hacking activities; support efforts to develop appropriate responses to handling zero-day vulnerabilities, and finally it should reaffirm its commitment to strong encryption considering both fundamental rights of EU citizens and the internet security. Furthermore, the policy proposals emphasise the impact analysed by the EU Agency for Fundamental Rights (FRA) research on fundamental rights protection in the context of surveillance in response to the Snowden revelations, and recommends to produce a similar brief related to the legal frameworks governing the use of hacking techniques by LEA across all the EU Member States. Also, it strongly proposes the collaboration of FRA, CEPOL and Eurojust to provide training to all stakeholders who would potentially be involved in the hacking activities.

You can also read this article in German at https://netzpolitik.org/2017/studie-des-europaparlaments-staatstrojaner-bergen-erhebliche-risiken-fuer-das-grundrecht-auf-privatsphaere/.

Legal Frameworks for Hacking by Law Enforcement: Identification, Evaluation and Comparison of Practices

http://www.europarl.europa.eu/RegData/etudes/STUD/2017/583137/IPOL_STU(2017)583137_EN.pdf

Rights groups demand action on export controls (06.03.2017)

https://edri.org/rights-groups-demand-action-export-controls/

(Contribution by Siddharth Rao, Ford-Mozilla Open Web Fellow, EDRi)