Electronic Evicence in Criminal Matters
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Subtitle |
| |
| Title of Series | ||
| Number of Parts | 165 | |
| Author | ||
| License | CC Attribution 4.0 International: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/39316 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
| |
| Keywords |
35C3 Refreshing Memories51 / 165
2
5
6
7
8
9
10
11
12
13
15
16
17
22
26
29
30
31
33
37
38
39
40
44
45
48
49
53
54
55
57
59
60
62
65
66
69
70
72
73
74
77
80
82
83
84
85
86
87
89
92
94
100
104
105
106
107
108
111
113
114
115
116
117
119
121
122
123
124
127
132
133
136
139
141
143
144
145
146
148
149
150
154
155
156
157
158
159
160
161
162
163
164
165
00:00
TelecommunicationProduct (business)CASE <Informatik>Roundness (object)Regulator geneSound effectWhiteboardAuthorizationCommitment schemeLecture/Conference
01:30
MassService (economics)InternetworkingData transmissionDatabase transactionEmailData storage devicePoint cloudAuthorizationType theoryTelecommunicationComputer networkNumbering schemeAddress spaceDomain nameSession Initiation ProtocolTime domainInformation privacyMobile WebMessage passingControl flowData transmissionInformationSatelliteCodeData typeTelecommunicationInformationsgesellschaftType theorySession Initiation ProtocolPhysical lawState of matterBitLine (geometry)Limit (category theory)MereologyPhysical systemSlide ruleSatelliteDatabase transactionEmailAreaMeasurementInternetworkingMassPresentation of a groupPoint (geometry)Open setData storage deviceRegulator geneInternet service providerLattice (order)In-System-ProgrammierungDomain nameAuthorizationWeb serviceMultiplication signRight angleComputer animation
05:21
TelecommunicationInformationsgesellschaftQuicksortData transmissionWeb serviceInternet der DingeLecture/Conference
05:58
Computer networkPoint cloudService (economics)Office <Programm>WebsiteLinker (computing)GoogolTwitterFacebookData acquisitionInternetworkingDatabase transactionRegulator geneInternet service providerOnline gameWebsiteWeb serviceYouTubeCloud computingComputer animation
06:59
Time domainWindows RegistrySession Initiation ProtocolSineInformation privacyProxy serverService (economics)InternetworkingNumbering schemeDomain nameInformation privacyWeb serviceProxy serverImage registrationOrder (biology)State of matterSingle-precision floating-point formatLecture/ConferenceComputer animation
07:47
Physical lawInformationAddressing modeService (economics)State of matterPrinciple of localityInternetworkingPhysical lawState of matterProcedural programmingPhysical systemLocal ringSet (mathematics)Internet service providerAuthorizationWeb serviceMultiplication signComputer animation
08:56
InformationInternet service providerProxy serverFundamental theorem of algebraQuicksortLocal ringProcess (computing)Physical lawInternetworkingInformationOrder (biology)Physical lawLocal ringQuicksortCASE <Informatik>Process (computing)Regulator geneInternet service providerAuthorizationWeb serviceLecture/ConferenceComputer animation
10:07
Process (computing)InformationState of matterEmailService (economics)Point cloudType theoryCellular automatonData acquisitionInternetworkingPhysical lawAuthorizationRight angleAreaProcess (computing)Harmonic analysisInformationCASE <Informatik>Information privacyLecture/ConferenceComputer animation
11:16
EmailService (economics)Point cloudType theoryCellular automatonProcess (computing)InformationState of matterInternetworkingPhysical lawRegulator geneFlow separationEmailGoodness of fitPoint (geometry)AuthorizationWeb serviceMultiplication signLecture/ConferenceComputer animation
12:20
Harmonic analysisOrder (biology)Type theoryCategory of beingPhysical lawLocal ringTime zoneCellular automatonEmailGoodness of fitMeasurementMassCASE <Informatik>Set (mathematics)Internet service providerPoint cloudAuthorizationUniform resource locatorCloud computingLecture/Conference
14:46
InformationMereologyDesign by contractCore dumpData acquisitionInternetworkingDigital signalDigitizingRing (mathematics)Core dumpAuthorizationRight angleComputer animation
15:38
State of matterService (economics)Order (biology)AuthorizationInternet service providerData acquisitionInternetworkingPhysical lawOrder (biology)Product (business)State of matterCountingInternet service providerElectronic mailing listAuthorization10 (number)Web serviceLecture/ConferenceComputer animation
17:09
Task (computing)Internet service providerState of matterMaxima and minimaInternetworkingOrder (biology)Maxima and minimaAreaRegulator geneLatent heatInternet service providerWeb serviceLecture/ConferenceComputer animation
18:31
Content (media)Database transactionLibrary catalogLatent heatState of matterParallel portCodierung <Programmierung>Maxima and minimaInternetworkingState of matterInternet service providerWeb serviceHarmonic analysisQuicksortLibrary catalogElectronic mailing listAuthorizationLecture/ConferenceComputer animation
20:03
State of matterPoint cloudEntire functionFinitary relationInternetworkingState of matterEntire functionHeat transferProcess (computing)Shared memoryRegulator genePoint cloudDesign by contractLecture/ConferenceComputer animation
21:16
Process (computing)Endliche ModelltheorieState of matterBasis <Mathematik>InternetworkingImplementationDependent and independent variablesData integrityInformation securityData transmissionSystem identificationElectric currentTask (computing)Directed setProcedural programmingDesign by contractOrder (biology)TelecommunicationProduct (business)INTEGRALState of matterProcedural programmingMaxima and minimaPhysical systemOpen setRegulator geneDirection (geometry)Latent heatInternet service providerInformation privacyAuthorizationWeb serviceSingle-precision floating-point formatStandard deviationLecture/ConferenceComputer animation
25:01
Task (computing)Physical lawState of matterArithmetic meanDependent and independent variablesRight angleLecture/Conference
25:36
Task (computing)Directed setProcedural programmingInternetworkingVector potentialInternet service providerException handlingOrder (biology)Physical lawState of matterArithmetic meanMeasurementDependent and independent variablesRegulator geneInternet service providerWeb serviceComputer animation
27:46
Integrated development environmentArithmetic meanElectronic signatureOcean currentAuthorizationLecture/Conference
28:23
Service (economics)System programmingInternet service providerPersonal digital assistantInternetworkingProcess (computing)WhiteboardPosition operatorPropositional formulaMereologyPhysical systemCASE <Informatik>Image resolutionRight angleComputer animation
29:40
Point (geometry)Physical lawGroup actionInternetworkingPhysical lawPhysical systemSystem callData storage deviceDifferent (Kate Ryan album)Lecture/ConferenceComputer animation
31:41
Content (media)WhiteboardOrder (biology)Coma BerenicesTelecommunicationLibrary (computing)Observational studyInternetworkingOrder (biology)Product (business)Group actionMultiplication signMaterialization (paranormal)Open setObservational studyLecture/ConferenceComputer animation
32:53
NumberInternetworkingTelecommunicationINTEGRALAxiom of choiceProof theoryInternet service providerAuthorizationWeb serviceLecture/Conference
34:34
Formal languageSoftwareLevel (video gaming)FinitismusLocal ringVector potentialComplete metric spaceInternet service providerElectronic mailing listAddress spaceSign (mathematics)AuthorizationWeb serviceLecture/Conference
36:31
NumberECosLecture/Conference
37:26
MathematicsNumberServer (computing)Internet service providerIn-System-ProgrammierungAuthorizationWeb serviceLecture/Conference
38:15
Physical lawState of matterNumberPoint (geometry)Regulator geneLecture/Conference
39:46
InternetworkingMultiplication signOrder (biology)Type theoryLevel (video gaming)Physical lawState of matterLocal ringElectronic signaturePoint (geometry)AuthorizationWeb serviceCloud computingLecture/Conference
41:33
InformationOrder (biology)Physical lawState of matterProcedural programmingUniverse (mathematics)Extension (kinesiology)MereologyCountingNumberEmailQuicksortSystem callServer (computing)InternetworkingPresentation of a groupPoint (geometry)Data storage deviceRoundness (object)Regulator geneInternet service providerSound effectPoint cloudDifferent (Kate Ryan album)Web serviceMultiplication signRight angleDesign by contractLecture/Conference
Transcript: English(auto-generated)
00:05
Welcome, everybody, to our next talk, Electronic Evidence and Criminal Matters, an introduction
00:24
and critique of the EC proposal for a regulation. Our speaker is Klaus Landerfeld. He is a member of the board of the Eco Association of the Internet Industry, and he's also in the board of directors at the De Kix Group AG.
00:41
And usually, at first sight, you would think that it is a good idea to have an easier way for law enforcement authorities to secure electronic evidence when there is the suspicion that maybe there was a crime committed. That sounds reasonable at first, but as is often the case with such proposals, there are some shady side effects that people either have not thought of or they have thought
01:02
of them, but they don't care. Particularly, there's a lot of concern when it comes to data privacy, and Klaus is going to tell us now what the problem is and what should be done about it. So please give a big warm round of applause for Klaus, and have fun. Yeah, a proposal for a regulation on European production and preservation for electronic
01:23
evidence and criminal matters is a very ungainly name, and it has come out as cumbersome as one might expect. So what's it all about? It's actually a proposal from the commission from April this year with a proposed regulation. Regulation meaning it will become direct law in every country, so there don't need to
01:45
be any transmutation into national law. Let's be very clear right from the onset. This is about access to store data by law enforcement. So this is not about mass surveillance or preemptive measures or something like that. There needs to be an ongoing investigation, and this is about gaining evidence for
02:04
that ongoing investigation. So it compels service providers who enable legal or natural persons in one or more member states, to use the services listed, I will explain what that means, to directly cooperate with law enforcement from another member state.
02:21
Usually that never happens, so you're only talking to law enforcement in your own member state, and that's actually what is different. So the scope of the regulation is that a service provider is supposed to provide a full copy of all stored data, so I go into data types a bit later as well, from the inquiring
02:41
member state. So data types could be everything, telephone records, email transaction data, communication data, cloud storage, anything. And the authorization and the limitations for the access exclusively follow the law of the requesting member state, meaning the state where the investigation is actually happening.
03:03
So it doesn't matter where you are, which law system you're under, the only law which is required to be upheld at that point in time is the law of the inquiring member state, which is one of the big problems of the proposal. So it isn't even a requirement to even involve the state where you reside in, or
03:25
even inform the authorities that data was requested from a service provider in your country. So which type of services are covered? I think that's one of the most essential parts. So the Commission made a presentation for that at the open meeting in May, and gave
03:44
some examples of service providers. So everything you'll see in the next three slides is not from me, this is actually the examples provided by the Commission. And it's three areas, it's electronic communication service as defined by the European electronic
04:00
communication code. It is also information society services, that means things like social networks, online marketplaces, other services facilitating transactions, hosting service providers, all this stuff, but also internet domain name, registrars and registries, IP numbering services
04:23
and things like that. So what were the examples given by the Commission? For access service, they used BT Vodafone, every internet access service, be it via fixed line or mobile, is basically covered. That also covers, in principle at least, Wi-Fi providers, even so it's very difficult
04:43
obviously to get some data from them. It's also interpersonal communication services, so everything, email, SMS, stuff like that, so they use KPN Vodafone, but you'll see also Telegram, Skype, WhatsApp, Signal. So they're after every type of interpersonal communication, also email services, everything.
05:05
A bit more tricky is the conveyance of signals, that's also one area. So what the Commission listed here is, in principle, also ISP satellite network providers but also radio and TV broadcasters, so they could basically tell you, oh, if you have a subscription, was that used from somewhere else to gain insight into where people were
05:24
using the service from, for example. However, in having further talks with the Commission, we found out that might also include IoT services, all sorts of other communications where the only requirement
05:40
is that the company offering the service controls the transmission of the signals over the network, which obviously falls for every closed service. So it's a very broad definition, it gets even worse if you look at the information society services, they're obviously looking at social networks like Facebook, Twitter,
06:01
LinkedIn, Google, online marketplaces, Amazon, eBay, Twitter, was explicitly mentioned as examples, but also, and this is where it gets tricky, hosting service providers like Amazon Web Services, OVH, cloud service providers for corporate infrastructure.
06:23
What does that mean? Basically, everything which is stored with someone else could be accessed through that regulation. They also mentioned services like YouTube for uploaded videos, Microsoft Azure, Microsoft
06:41
Office 365, I was kind of like, wait a second, does that mean a document is stored there? Yes, that's what it means. Online gaming websites or even things like iTunes, so what did you download there and when did you use the service from where? This is all stored data, so you could basically get transaction data from these services.
07:03
For the inter-domain IP numbering service, they use drive as an example for the IP addresses, for registries, your ID, the registration service, but that obviously goes for the German registration service and all the similar ones as well, so this is just examples, registers
07:21
like OVH.com, KPN and things like that. But also privacy and proxy service providers, United Domains was listed because they provide the anonymity service nowadays under the GDPR so that you can't see who's actually behind the domain, so they can target these as well in order to release who's actually ordering
07:44
the service. Well, to be very clear, it is all data stored in a single member state which is supposed to be released to a requesting member state law enforcement authority within ten days. Or in emergencies, even within six hours.
08:02
So service providers are required to deliver a full set of data stored with them within six hours if it's declared a very important inquiry, without involving your national authorities at all. The idea behind it is that each EU member state has its own sovereign laws and that
08:23
the law enforcement procedures can be followed through to investigate in all EU member states regardless of the locality of the actual stored data. The service providers are not even supposed to check the legality of the request.
08:41
And most often they will not be able to do so because they don't know the law system of the country where the inquiry actually comes from. And that is not harmonized. Criminal law is not harmonized throughout the EU. So the time frames, what can be prosecuted, what even is a punishable offense,
09:01
and things like that is not harmonized throughout the EU at all. Can LIAs do that already? That's a question I often hear. In principle, they can already do that. They can access all sorts of stored information. If they have an ongoing investigation to further a case or further the ongoing investigation,
09:23
they can already submit a request for stored data, but not to the service provider. They'll have to go to the law enforcement authorities of the country where the service provider resides, or the customer resides, in order to get that processed. So the authorities where the seat of the service providers will have to process the request
09:46
and will only forward it to the service provider if that is a punishable offense under local law and the request warrants a release of the data. There might be other provisions why that is not acceptable to release the data.
10:03
This is all circumvented by this proposed regulation. Normally, it's the obligation of the local authorities to observe our local laws that the individual fundamental rights and all legal remedies are given to the person in question and things like that.
10:21
That's all upheld under the normal procedures, the multilateral agreements, by the local authorities. So what are the challenges to individual rights? There are certain problem areas identified. Obviously, the enforcement of few process and the legal remedies for the individual are not clear at all.
10:41
If you live in a country, data from you is requested. What do you know about what is happening in Voga-Voga land, whatever? I mean, what the legal remedies are there? How do you actually file a court case? What are your rights under their data protection laws and everything? You just don't know, and there is no harmonization in that as well.
11:04
Even the information after a case is closed and you were cleared, maybe, that you're informed that data of you was handled at all. There is no harmonization for that as well. You might never learn that your data was actually released. Typically, under national law, there are provisions that this happens,
11:22
to this and that extent, one way or the other. This proposed regulation does not cover that at all. Only the law of the requesting country is taken into account. So we have some examples on where that might affect people.
11:41
A good example is abortion in Poland, it's illegal there. You might have several years of jail time for that. In other countries, it's completely legal. So if you would use email services to arrange for that in the Netherlands, you might be very careful that you won't have that visible in Poland.
12:03
Still, it might be requested now from the Netherlands. And you might be prosecuted based on that. We had a good example in Germany earlier this year when Pidgemont was even within the authorities. They actually put him under hold at some point.
12:20
But the German court ruled, wait, the offense where the arrest order was put into effect, that's not even prosecutable in Germany. So they had to release him again. But everything which would have happened in between, telephone calls, cloud data, anything, emails sent from that
12:41
could have been requested by the Spanish authorities, if that were already law. Another good example in Austria, it's legal to use toll data to actually build a case against someone where someone used the roads.
13:02
There's a provision in German law that you can't do that. The data of toll collect cannot be asked for by the authorities to build a criminal case. There's no provision that this is not going to happen. Meaning, data can be inquired from a foreign country which your national law enforcement authorities cannot even inquire.
13:26
Which is, it's very hard to explain to local law enforcement that they cannot ask for data which other European countries can ask for. We have the same problem with the types of cell data, for example, or location data from cell phones.
13:42
In Spain, you can do mass inquiries even for whole zones or whole cities, which is illegal in Germany. So a typical example from Telefónica, they told us, oh, it's normal, we release several hundred thousand data sets for one inquiry,
14:01
while in Germany, this would be completely illegal. Also, there is no harmonization for the treatment of stored data, so very personal information, photos, diaries. But also, if you look at the fact that they want to go for cloud service providers for enterprises, what about company secrets, about intellectual property rights?
14:22
Are we supposed to release everything, your whole cloud storage, whole corporate networks, cloud storage, to law enforcement based on a request which might not even be prosecutable in your own home country? It's very unclear, and that has not been remedied in the talks over the course of the year.
14:44
Interesting enough, a similar measure would never be accepted in the physical world. So imagine the Hungarian police ringing at some flat in Vienna somewhere in the morning, just looking at it, copying everything they want and leaving again, not even telling the Austrian authorities they were there.
15:01
Completely unthinkable. No one would accept that, or no country would accept that. But in the digital world, it's exactly the same. So they think, well, why not? It's just digital data. The same is, they have certain constitutional rights.
15:21
Best one, well, obviously, I know that best because I'm from Germany, but we have something which is called the Kannbreischutz in Germany. That is the core private life, which is protected even from law enforcement. They cannot look at this data. And in the Lismore contract, there was even a provision for that, that no European law can infringe on that right.
15:44
This one does, if it becomes law. So obviously, it's not thought through, and it needs some amendments. There are also procedural problems. So every judical authority of a member state is authorized to issue a European production and preservation order
16:02
and directly contact the service provider that offered the service. So we're talking about tens of thousands of service providers throughout the EU, but we're also talking about thousands of authorities which are in principle allowed to issue these production and preservation orders. So in Germany, this is 900 eligible authorities.
16:22
We counted them, and we did some counts in some other countries, so we estimate it to be 13,000 authorities which can go to every single service provider and ask them to produce data. An impossible amount. How should the service provider be able to detect manipulation? How should we even know that this is a genuine request
16:44
that the authority inquiring the data is even allowed to do so? So possibly the EU Commission could publish an official list of authorized agencies, but it says, oh, no, we're not going to do that. This is the individual country's responsibility,
17:00
and the countries do not want to publish this list of authorized agencies. Which makes it even more strange, is that coming up with the idea, hmm, is this going to be electronic inquiries which are signed, which we can maybe check upon? No, no, no, this could be paper, it could be text, it could be anything.
17:22
So another area which is not harmonized and where the regulation has problems is the regulation of maximum penalties or minimum penalties. It's a bit unclear. One of these orders can only be sent out
17:40
if the crime you're accused of is punishable in the history which stays with a sentence of at least three years. But this is, it's not really very much. So there could be fraud, there could be anything. So three years is a joke, especially looking at the fact that there might be several countries inquiring the data.
18:02
And even if in your country or in your neighboring country it might be only two years, there could be another country in the EU where there's a five-year penalty on exactly the same crime. So this doesn't really give you anything. And a case-by-case examination of the service provider is not possible anyway.
18:21
How should a service provider be able to check if that specific offense, which he's not really even in detail told about because he's not allowed to know what the specific offense is, and how should you check if that legality is upheld and if the request of the assessment of the state inquiring the data that yes, this is an offense punishable
18:42
by at least three years, is actually true. The service provider will not be able to do this. And the same thing goes for the question if that is punishable in my country at all. So we cannot really tell.
19:02
These problems could be solved by a binding list from the European Union, and that would be sensible in considering harmonization is what they're really trying to do. So that specific offenses are listed in sort of a catalogue, where you can say, OK, this offense on a pan-European level,
19:20
we see this minimum sentencing or things. But the states have signaled, they have no interest whatsoever in harmonization and the criminal laws. So they don't want to produce that catalogue, and they cannot agree on a catalogue. So it is very clear
19:44
that obviously companies should not be permitted to produce data for foreign authorities that would domestically not be punishable. But it is very unclear right now how this can be achieved, how a service provider is able to check
20:03
that anything he receives is genuine. The same goes for the relationship to third-party states. There should be a provision in there that transfer of the data gained should not be allowed to be transferred to a third party.
20:24
So one European member state requests data and then shares it with the US, for example. I think it's very clear that this should not happen. But at the moment, individual member states can negotiate their own individual agreements with whom they share data under what provisions.
20:45
And we think that there should be something in the regulation that says no, this can only be done through the entire union if, for example, the US Cloud Act, there's a provision that data is shared with the EU, it should be harmonized, it should be the same regulations,
21:01
the same way to do this throughout the European Union so that not one country can do their own individual contract on that. The same goes for the existing process. There is a process of voluntary cooperation and a lot of countries have individual contracts
21:20
between each other on how to share data. So whatever the Netherlands and Germany have a contract, Austria and Germany have a contract, France and Spain have a contract, and how to help each other in gaining this data. Currently, it's not clear what is the leading law.
21:42
Will this be the new regulation, be the conclusive agreement, or will the individual contracts still be upheld, especially if there are lower standards, and in some cases, there are lower standards for this cooperation than what the epoch now stipulates.
22:03
And obviously, this also goes for the non-EU states and the production of evidence there. So it must be very clear for all parties involved what is the new standard and which standard should be applied. Even worse, there are no technical provisions whatsoever.
22:22
The proposed regulation is only about procedures and minimum sentencing and things like that. There isn't even an opening clause to come up with a technical specification. But in order to make this a timely response,
22:40
if we consider six hours and things like that, we need a technical regulation if something like this will even come to pass. So for the European investigative order, there's an Etsy standard, which secures the integrity and the privacy of the data while it is transmitted. It's obviously encrypted.
23:01
For the epoch, there's nothing. It's not even clear how this is supposed to be transmitted. You could receive a fax, and then what do you do? You produce electronic data. You don't even know what to send it to. Unencrypted via email? There's no provision in there at all. And if the opening clause for technical provision
23:20
will not be in the proposed regulation, then you cannot have a technical provision afterwards. You need to amend the regulation. So this is really a requirement which is absolutely essential in a digital world. I can't even understand how someone can come up with a proposal for electronic evidence,
23:41
which does not say it needs to be transmitted electronically. I mean, it's, well, okay. Yeah, well, for people versed in digital matters, it's, I don't know. So the same goes for companies. I mean, obviously a lot of you probably work
24:02
for providers or some companies which offer digital services. So in principle, a unified procedure for a single market. I mean, we're working on the single European market for electronic communication, for electronic goods and services.
24:21
So in principle, the idea that there is a unified procedure on how to access data and what data should be accessed is not a bad idea. I have to admit, it's sometimes very difficult to work in the current system where there are individual agreements between some states and what can be shared and how it's done
24:43
is a bit unclear. And you never know when your own local authorities talk to you and request some data if this is actually for some other country. You never know. So a procedure would be very helpful. But the direct contact of foreign state authorities
25:00
with you as a service provider in another country means there is a discharge of foreign tasks by your own state. And that is something which we view is very problematic because who is responsible to uphold the rights of the individuals in that setup? Will that be discharged to the private company,
25:22
the private sector? It's something which, obviously, politicians are trying to do all throughout the EU, typically within national law. So there's a lot of state responsibilities being outsourced to private sector companies nowadays. But on international law or international treaties, you almost never see that.
25:42
So why is that in here? Why are the state's three responsibilities simply ignored and the individual countries have no rights, no safeguards, nothing in there to protect their own citizens? That, as industry view, is a big problem.
26:01
Because obviously, this is also about liabilities. It needs to be clear for a service provider for release data based on that regulation that I'm only acting in an official capacity, working on an official state order and carry out measures that have been prescribed
26:21
by, well, yes, some other state, but at least by some state. So I'm not liable for releasing that data. Under the current proposal, it's not even clear if the user could not sue me for the releasing that data. Yes, it is EU law, but it's very unclear how that relates to the national law about safeguarding data of the individuals.
26:45
Actually, one provision is in there, which states that if I don't follow the order, if I don't release the data in a timely manner, I could be fined up to 2% of my turnover as a company. So again, very hefty
27:03
financial risk not responding in emergencies within a couple of hours. So am I willing to take that risk? Am I willing as a company to not follow that order and actually do some checks, do some legality checks?
27:20
I might not. If I'm a large company, I'm talking about several million euros or even a billion euro or something like that in potential fines for not following that request. It's very difficult. So this should really be put into the proposal.
27:41
It should also be very clear that if that was a manipulated request, then I have no means to check this. I have no means to do a signature check or something like that. If I receive a fax with a stamp from some court somewhere, I cannot verify if that is even a true court,
28:00
if that even exists, or if that has the authority to request this type of data. Under the current proposal, I'm supposed to simply release data. I'm not even supposed to properly check this. So can I be made liable if that was fraud, let's say court fraud, that we think is a big problem,
28:20
at least for the companies? How can you do business in an environment like that? And obviously, you cannot check if that is legal in 28 different legal systems. And it should also be clear, and it's also not part of the proposition right now, that the data cannot be used for something else.
28:43
So it was requested for one thing, and it can be used in a different legal case. Not even that is in there. And also, it should be very clear that evidence released to a law enforcement authority, and then it becomes clear that this data should not have been released,
29:01
that it cannot be used in court, and that is also not in there. So what is the current status of the proposal, and where are we in the process? It's not law yet. It's not passed. The European Data Protection Board adopted a resolution
29:21
that said this is very critical, and it's not supposed or shouldn't happen on the 26th of September. But the council, so the EC Council, adopted it as is, without amendments, on the 7th of December. So if it goes through parliament as well,
29:42
then it would become law immediately. If the parliament stops it, then there will be trilogue disputes, and we can actually still prevent it from becoming law. The parliament held a hearing on the 28th of November,
30:01
and it's currently not clear if there will be any further hearings or proceedings before the EU election in May. So what is required? And that's where I say it should be a call to action. Please, in this case, really, NGOs, private individuals and companies, we're all on the same side here.
30:22
This should not come to pass as it is, because it will really rob you of clear law and a clear system on where you are, on what is really the law system you work in, and you can actually have a clear understanding
30:41
of what, if you save something on the net or if you put something in storage somewhere, if that is not released to someone else. Only a handful of companies opposed the regulation, so there was active opposition to that. There was Germany, the Netherlands, Finland and Greece, and also Hungary, the Czech Republic,
31:02
but on different grounds, because they thought it doesn't go far enough. So, well, that's the typical thing you have in the council. However, the primary advocates for the proposal were France, Spain, Ireland and Belgium, so they sponsored it. So especially in these countries,
31:21
it would be helpful if people would become active, talk to their governments locally, talk to their parliaments, and actually say, okay, well, what is happening here? Why do you support this? Support can still be withdrawn until this was actually adopted. Also, obviously, people should talk
31:41
to their members of parliament and make clear that this is not something which should become law. So, as I said, there's still some time to act, probably the first quarter at least, maybe up until after the European election in May, and I hope that there will be some action
32:02
that people see that this is a big problem and these production orders should not come to pass. Yeah, thank you very much. Materials used. I recommend these as readings. So there was the opinion of the European Data Protection Board, the original proposal,
32:20
but also a study for the parliament done, so the legal committee of the parliament, which also strongly requests the parliament not to adopt this. So if you're interested in the topic, look at these materials, and yeah, I'm open for questions.
32:49
Thank you very much for the talk, Klaus. We still have quite some time for questions and answers, so if you have any questions, you can move to any of the microphones we have here in the room, and then we will be happy to take your questions.
33:01
Are there any questions from the internet so far? Doesn't seem so, they're still thinking about it maybe. So, let us start with microphone number five. For the electronic ticket choice and the proof to have a valid request, wouldn't it also be wise to ask for
33:20
a secondary legal check by the local authority? Because when you have a digital format, you can also speed up the check by the authorities. Yes, we thought that, well, actually what the service providers proposed was that it should actually be sent out
33:42
from the local authorities to some central agency within the state, well, the original requesting authority to sign it, the outgoing central authority should have signed it, then there was an inbound called double tandem so that both countries actually check on it, and only then it's forwarded to the service provider
34:02
and you would be able to check signatures on this. So, there was a legality check and also an integrity or an authorization check on this, but it was flatly refused. Even in Germany, the Bundesamt and they said, oh, but we can't do this 24-7
34:20
within six hours, it's impossible. So, every service provider is supposed to do it, but they cannot do it. But the actual legality check, outbound and inbound, we think this is absolutely mandatory to do. Thank you, next question for microphone number two. Thanks, Klaus, for reporting about this nightmare.
34:41
When there is an incoming request from a local authority, let's say to DKix, is there any proposal in which language it should be? Should it be in German or in Polish or are you expected to learn all these languages? Well, actually, DKix cannot have these requests,
35:02
different story. Actually, every company or every service provider is supposed to publish an address to forward requests to and the languages they are willing to accept these in on their website. Don't ask me why.
35:20
We thought that as with the list of authorities being eligible to request a list of service providers which can actually receive these, it would be a nice thing to compile on a national level and then be exchanged, maybe through Europol or something like that. But again, flatly refused because one, it's too difficult to compile this list
35:42
of authorities who can inquire and electronic signing is completely out of the question. This is supposed to be a couple of years before the local authorities can sign stuff. And also, this finite list of service providers who can actually receive it
36:02
was supposed to be impossible to compile because you've seen there's some rather open definitions in there like these controlling signals on the network stuff, right? Anyone who's transmitting and storing data in some fashion could potentially be a target.
36:23
So the authorities thought that it's impossible to compile a complete list of potential recipients. I'd like to remind the people who are already leaving to please do so quietly and everybody else who's in the room to also be quiet. Next question from microphone number three, please.
36:40
So since you have a big German audience, sorry to echo, since you have a big German audience, which of the German European Parliament politicians support and oppose this and which of them do you think should we direct our attention to? Honestly, I cannot answer that
37:01
because I haven't talked to the German members of Parliament because we were able to convince the German government that this is a bad idea and they oppose the measure altogether. So we need to do this now and we also need to go to Parliament, of course, but my colleague in Brussels already did this but I don't know who he actually talked to
37:20
and who he didn't. That would be Thomas Bielmeier of Eco. He's talking to the Parliament there. Microphone number seven, please. How are the sending authorities supposed to identify where to send the request? Like even if you look up an IP address, it might not actually be the company that's responsible for the server.
37:40
It might even be like the upstream ISP of the co-location company that has a customer that's where you're supposed to send the request. Very good question. No, I seriously cannot answer. The proposal doesn't stipulate that. There is no provision in there how to find out who the actual service provider is.
38:01
But that problem is there today as well. So they need to identify who the service provider is today as well. So there's really no change for the requesting authorities there. Microphone number six, please. Hi, thanks for the talk. I was wondering, so you said attacking states, laws
38:24
are above the targeted states' laws. Could this, could there be any protection? Like if my state's constitution says a foreign law cannot apply here, could it invalidate the regulation?
38:43
That's what we're aiming for. We hope that this will actually come because this is what would be required. If, for example, there are preventions to use data for doctors and members of parliament and things like that, that's not even in there as well.
39:01
So if there are local requirements that data cannot be released, that is not upheld as well. So, and it's actually a good attacking point for members of parliament to tell them, well, you know what, under this, even your data can be released. And they're typically very proud of their protection.
39:23
It's, this proposed regulation doesn't clarify this. You have to release the data no matter what because the presumed check already happened at the requesting entity. And it's only a question if it's punishable with at least three years in the requesting state.
39:41
So your law doesn't matter at all in the regulation as it is right now. Now the time of the internet has come and they will be asking their question. I actually have kind of a double question for one. Does, is law enforcement actually defined in a way or is it just law enforcement without any definition?
40:03
It's, well, it is actually, for some things you need a court order as well. So it's basically police, the state attorneys and the courts on the different levels. And under some local jurisdictions,
40:20
it's very clear that data can also be requested by secret services and things like that as well. So they would probably fall in that range as well, even so, it explicitly says that it's only for criminal proceedings. So it's very difficult to tell if they will probably be able to send this
40:42
through some police agency or something like that. So it's clearly just for criminal proceedings. Does one actually need to go to kind of a judge even in the requesting country or is it completely free to send a request? That depends on what the local law says.
41:01
If you can request IP addresses, names, certain types of data in the local law without a judge. So if police or the state attorney can do it, then only their signature is required. If the local law states that the judge is required, then you would need the authorization by a judge. However, if you want content data,
41:21
that's a special point in there. So if you want content or whatever of a cloud service or something like that, it will always require the signature of a judge, but this could be from a local court. Microphone number two, your time has come. Please do go very close to the microphone.
41:42
Thanks for the wonderful talk and preparing it in such a short time. I would have two questions that popped into my mind. One of them is that we have extensive cooperation contracts between legal entities within the European Union. So if I see this correctly, so far, the proposed procedure would allow to basically play it
42:04
in tandem to get the information. So my police is gonna ask someone else's police, the police from another state, to ask for data that the police can't ask for. And I don't see how this is omitted in any way. Well, I had this in the presentation
42:22
that we think that only the state where there are actually criminal proceedings should be able to request the data, but it's not very clear right now in the proposed regulation. So this needs to be clarified. We think that especially this part,
42:41
that data can be handed on to someone else because you have a different contract in place, that this should be explicitly prohibited under this regulation. It's not part of the proposal right now. Microphone number two, please do ask your second question.
43:00
The other point was, when does data count as being stored? Is this like two minutes after I finished my phone call or an hour or 24 hours or? Well, the proposal doesn't say. Typically, that is also something which is under local law. And it actually differs from country to country
43:21
what is considered stored data, but it's typically all sorts of account data, all sorts of data which is stored more from emails, cloud data, and things like that. It's data in transit, which is only temporarily stored somewhere, does typically not count as stored data. Microphone number five.
43:46
Be out of the scope if I run my own mail server like universities or other big companies. Well, if you run your own services, you're obviously out of scope for the proposal,
44:00
because it needs to be a service provider enabling other persons in order to do that. And obviously, it wouldn't do much good to send you a request to release your own data. But universities and things like that, that is really up to local law. So under certain provisions, I don't know that for many countries, but I know that in Germany, for emails, for example,
44:23
they have an exemption, they don't need to provide that. So this is part of what I mean when I say we need to actually change local procedures as well to clarify who's within scope and who's not. This is all about, oh, it's kind of like up to local law, but if I'm not required to store something
44:43
or to actually have data, and then someone from Spain or whatever inquires something because companies there are required to store that, well, obviously, if I'm not storing anything, then I can't release anything, but it might work the other way around. Like in Poland, they have data retention for five years.
45:01
In some other countries, they don't have data retention laws at all, or maybe six months. And then you request something and you receive data for five years. That's obviously not intended from the requesting entity. So this might work both ways. And the internet has the honor of asking the final question for the session. So one user asked if we should use the law
45:23
against the politicians which proposed it, if it actually comes into effect to kind of show them how bad it really is. Well, if you get some other law enforcement agency to request that data, yes, you could do that because there's no provision against it, but I can't really answer that, sorry.
45:43
All right, anyways, thank you very much for all of your questions. Thank you so much for being so active. Also, thank you very much to Klaus again for giving this very informative talk. Please give another big round of warm applause to Klaus. Thank you. Thank you. Thank you.