[Read more session reports and live updates from the 11th Internet Governance Forum]
The session, chaired by Mr Christian Borggreen, Director, International Policy, Computer & Communications Industry Association (CCIA), aimed to discuss the challenges identified by main stakeholders regarding cloud data and law enforcement evidence; national, regional and global solutions for cooperation; and ways to avoid the fragmentation of cyberspace.
Ms Neide de Oliveira, Coordinator of the National Working Group on Cybercrime, Brazil, provided an update on the situation in her country, where cyber evidence is discussed in tandem at the state and federal levels, based on the Marco Civil framework. The latter has safeguards for data preservation, connection to Internet and access to Internet applications; while not (yet) backed by a Data Protection law in Brazil, it guarantees privacy and freedom of expression. Internationally, Brazil is advocating for more co-operation on Mutual Legal Assistance Treaties (MLATs). Ms Paul Mitchell, General Manager, Technology Policy, Microsoft Corporation, drew attention to the interplay between national and international law, pointing to the ongoing dispute between Microsoft and the US over whether American prosecutors can gain access to emails stored on servers in Ireland. While there is controversy in those cases, there are frameworks today for international agreements that can and do work (e.g. Microsoft responded to email data requests of two terrorists in the Charlie Hebdo attacks in 47 minutes). Yet, when dealing with data requests in one country, operators often face the problem of conflicting laws. Ms Nathalia Foditsch, American University, presented the cost and limitations of recent law enforcement actions. On average, it takes about 10 months to get a reply to an MLAT request. Yet, when discussing alternatives to the MLAT system, what needs to be taken into account is to extent to which proposals might foster further privatisation in the governance of the Internet. Among the dangers she listed were data localisation mandates and government hacking risks.
Ms Emma Llanso, Director of the Free Expression Project, Center for Democracy & Technology, made a case for the importance of transparency in trans-border data flows not only for users, but also for governments and companies. Transparency enables accountability and individual empowerment and helps inform policy discussions and advocacy. She referred to the recent report of the Freedom Online Coalition Working Group on the state of play around data transparency. A major challenge to fostering transparency is the scale of the big data management project and the classification of data to make public.
Mr Bertrand de la Chapelle, Director, Internet & Jurisdiction Project, talked about their project on cross-border access to user data, presented at a conference in Paris last month. In his opinion, it is important to foster policy coherence, first by developing standards and processes for access to basic subscriber information. Establishing jurisdiction is particularly difficult: should it be the location of the server or of the company that counts when data requests are made? De la Chapelle argued that neither is optimal, and more criteria should be taken into account, such as the location of the crime or the nationality/residence of the person whose data is requested. Among the areas for co-operation to be explored are: criteria for determining jurisdiction, due process mechanisms and harmonisation of standards on user notification.
Mr Alexander Seger, Head of Cybercrime Division, Council of Europe, provided an overview of the solutions under discussion in the framework of the Budapest Convention on Cybercrime. The convention has 50 parties and 17 observer states. It has a working group on cloud evidence, established 2 years ago, which recently released a set of recommendations. ‘Without data, there is no evidence, there is no justice’, said Seger. The challenges around subscriber data, loss of knowledge of location and enhanced European regulations as of April 2018 were also mentioned.
During the Q&A, it was clearly stated that courts cannot make decisions about actions outside of their jurisdictions.
Questions were often answered with recommendations, that actors:
Other responses suggested awareness of nuances that affect the context:
In conclusion, panelists each made one suggestion for future focus, which included:
by Virginia (Ginger) Paque and Dr Roxana Radu