Law enforcement, cyberspace & jurisdiction

7 Dec 2016 13:00h - 14:30h

Event report

[Read more session reports and live updates from the 11th Internet Governance Forum]

The session, chaired by Mr Christian Borggreen, Director, International Policy, Computer & Communications Industry Association (CCIA), aimed to discuss the challenges identified by main stakeholders regarding cloud data and law enforcement evidence; national, regional and global solutions for cooperation; and ways to avoid the fragmentation of cyberspace.

Ms Neide de Oliveira, Coordinator of the National Working Group on Cybercrime, Brazil, provided an update on the situation in her country, where cyber evidence is discussed in tandem at the state and federal levels, based on the Marco Civil framework. The latter has safeguards for data preservation, connection to Internet and access to Internet applications; while not (yet) backed by a Data Protection law in Brazil, it guarantees privacy and freedom of expression. Internationally, Brazil is advocating for more co-operation on Mutual Legal Assistance Treaties (MLATs). Ms Paul Mitchell, General Manager, Technology Policy, Microsoft Corporation, drew attention to the interplay between national and international law, pointing to the ongoing dispute between Microsoft and the US over whether American prosecutors can gain access to emails stored on servers in Ireland. While there is controversy in those cases, there are frameworks today for international agreements that can and do work (e.g. Microsoft responded to email data requests of two terrorists in the Charlie Hebdo attacks in 47 minutes). Yet, when dealing with data requests in one country, operators often face the problem of conflicting laws. Ms Nathalia Foditsch, American University, presented the cost and limitations of recent law enforcement actions. On average, it takes about 10 months to get a reply to an MLAT request. Yet, when discussing alternatives to the MLAT system, what needs to be taken into account is to extent to which proposals might foster further privatisation in the governance of the Internet. Among the dangers she listed were data localisation mandates and government hacking risks.

Ms Emma Llanso, Director of the Free Expression Project, Center for Democracy & Technology, made a case for the importance of transparency in trans-border data flows not only for users, but also for governments and companies. Transparency enables accountability and individual empowerment and helps inform policy discussions and advocacy. She referred to the recent report of the Freedom Online Coalition Working Group on the state of play around data transparency. A major challenge to fostering transparency is the scale of the big data management project and the classification of data to make public.

Mr Bertrand de la Chapelle, Director, Internet & Jurisdiction Project, talked about their project on cross-border access to user data, presented at a conference in Paris last month. In his opinion, it is important to foster policy coherence, first by developing standards and processes for access to basic subscriber information. Establishing jurisdiction is particularly difficult: should it be the location of the server or of the company that counts when data requests are made? De la Chapelle argued that neither is optimal, and more criteria should be taken into account, such as the location of the crime or the nationality/residence of the person whose data is requested. Among the areas for co-operation to be explored are: criteria for determining jurisdiction, due process mechanisms and harmonisation of standards on user notification.

Mr Alexander Seger, Head of Cybercrime Division, Council of Europe, provided an overview of the solutions under discussion in the framework of the Budapest Convention on Cybercrime. The convention has 50 parties and 17 observer states. It has a working group on cloud evidence, established 2 years ago, which recently released a set of recommendations. ‘Without data, there is no evidence, there is no justice’, said Seger. The challenges around subscriber data, loss of knowledge of location and enhanced European regulations as of April 2018 were also mentioned.

During the Q&A, it was clearly stated that courts cannot make decisions about actions outside of their jurisdictions.

Questions were often answered with recommendations, that actors:

avoid a jungle of solutions, to avoid not only making the problem harder to solve, but actually causing harm;
emphasise training of judges; clarify the interpretations and intentions of laws;
apply more efficient penalties, like blocking financial accounts, rather than interrupting services, since service interruptions affect millions of users and are hard to enforce;
do not focus only on the location of the data, but on the person in possession or control as the key factor; and
be aware of large/small providers and large/small country differences which cause other complexities for compliance with a threshold of scale.

Other responses suggested awareness of nuances that affect the context:

realise that no single actor or group of actors can solve the problems of Internet and jurisdiction in the policy network;
understand different complications and challenges – e.g. how do you know where I am, what my jurisdiction is, if my location is hidden?;
foster real dialogue: prosecutors should learn that it is productive to knock, and ask questions before being aggressive; to elicit cooperation; remember that service providers answer to the laws of their own lands;
consider forum shopping/ability, the possibility to respond directly to foreign government requests, the multi-factor test, the nationality/residence of users; and
be aware of which standards apply in which jurisdictions, and the utility of minimum thresholds: lowering some standards (such as HR/privacy) may actually result in wider compliance.

In conclusion, panelists each made one suggestion for future focus, which included: