Electronic evidence

Electronic evidence consists of these two sub-forms:

analog (no longer so prevalent, but still existent in some sound recordings e.g), and
digital evidence (see longer article)

This rather complex relationship can be depicted graphically as shown in this part of an EU-funded project on the topic embedded here at the right. Chapter 10 of the associated 2018 book goes into more detail,^[1] as does the website, http://www.evidenceproject.eu/categorization

Electronic evidence can be abbreviated as e-evidence; this shorter term is gaining in acceptance in Continental Europe. This page covers mainly activity there and on the international level.^[2]

Global Privacy Assembly

Access is the area where much of the current activity on the international level is taking place. A network called the Internet & Jurisdiction Policy Network holds global conferences on the topic at various locations.^[3] Here are six key supranational developments in Geneva, New York, Strasbourg, Paris and Brussels. In February 2022 an authoritative report was published covering worldwide developments.^[4]

The GPA of Data Protection and Privacy Commissioners "unsurprisingly places greater emphasis on individuals’ privacy rights than did the OECD draft" of 2021.^[5] In 2021 GPA developed a document summing up its concerns. ^[6]

International Organization for Standardization (ISO)

There is an international forensic standard issued by ISO with the International Electrical Commission ISO/IEC 27037.^[7]

United Nations

Late in 2019 Russia and China initiated a move to consider drafting a global cybercrime convention. Western democracies are conspicuously absent from the sponsoring parties.^[8] Many non-governmental organizations (NGOs) have issued a protest letter claiming the Russian initiative would potentially infringe upon human rights.^[9] The General Assembly, to the surprise of many observers, approved both the proposals of the United States and Russia. ^[10]

Council of Europe

The Budapest Convention on Cybercrime (“Budapest Convention”) is "the first international treaty on crimes committed via the Internet".^[11]

The CoE is currently drafting an update in the form of a second additional protocol to the Convention. An international group of national data protection authorities with a secretariat in Germany called the International Working Group on Data Protection in Telecommunications is monitoring the Council of Europe Cybercrime Convention holding 60-some meetings on the access problem, most recently to address events in Brazil, Belgium and China in addition to the Microsoft Ireland case.^[12]

The draft protocol has proven quite controversial.^[13] Two joint civil society statements have been submitted.^[14] ^[15] "The Cybercrime Convention Committee had extended the negotiations of the protocol to December 2020." ^[16] Meanwhile there are the guidelines from 2019. ^[17]

OECD

In 2021 deliberations began at the OECD to develop common principles among member countries. There are two major methods of access: compelled (or obliged) access and direct (including covert) access. The EU wants to address both, whereas the United States is hesitant to include covert access. ^[18]

European Union

The European Commission (as the only body holding the right of initiative) has made two legislative proposals (a Directive on establishing a legal representative,^[19] and a Regulation on access to evidence for criminal investigations).^[20] Taken together, these proposals comprise a "package". The legislators, i.e. the Parliament and the Council, have meanwhile found positions in regard to that Commission proposal. The Council calls its position a "general approach".

The committees in the Parliament have different competences, which are sometimes not easily distinguished, so sometimes there are competence disputes. LIBE has received "the lead", or lead competence working on the proposals, and has subsequently produced a report. The rapporteur Birgit Sippel MEP proposed changes to the versions of the Commission and the Council. The report has given rise to both a summary ^[21] and a more detailed commentary analysing its provisions for their efficiency and protection of human rights.^[22] Agreement has been reached in the Parliament on how to enter the trilogue negotiations (EP+CoU+COM). ^[23] The differences in the two versions prepared by the Council and Parliament respectively are shown in a couple of documents ^[24]

In what can be seen as an accelerated procedure as opposed to the ordinary first reading/second reading procedure, the report was only voted on in LIBE. The EP Plenary then mandated the committee to take up negotiations with the Council, while the Commission formally played a neutral advisory role. Formally, the first reading will not be closed until the trilogue has reached an agreement. Then the plenary will vote on the trilogue negotiation outcome as its first reading position, and effectively also allow it to become law. There could also be a situation where no agreement can be reached, in which case the Parliament would vote on the unchanged LIBE report to finalise the first reading and make it the Parliament position, before entering into a second reading. In July 2022 there has been movement in the negotiations. ^[25]

Authoritative texts can be found on the eur-lex website. ^[26]

In February 2019, the European Commission recommended "engaging in two international negotiations on cross-border rules to obtain electronic evidence," one involving the USA ^[27] and one at the CoE.^[28] Indeed, the USA/EU axis and the CoE are the scenes of work on these issues, as described and compared in a 2019 paper advocating a revamping of the Mutual legal assistance treaty, page 17.^[29]

The reason for the above development was given as due to the fact that "[i]n the offline world, authorities can request and obtain documents necessary to investigate a crime within their own country, but electronic evidence is stored online by service providers often based in a different country than [sic] the investigator, even if the crime is only in one country." The Commission then gave data supporting this decision.^[30] Indeed, this is the reason for treating electronic evidence differently from the ways that other evidence is treated. Moreover, it may expedite convergence or some form of reconciliation between the world's two main legal systems, i.e. common law and civil law, at least as regards this use case. Negotiations are set to begin.^[31] However, there are questions as to how the two different systems might converge in a common agreement. ^[32] A deadlock may exist in Europe. ^[33]

The core instruments to handle cross-border requests are: a European Production Order (EPOC) and a European Preservation Order (EPOC-PR). The framework for those instruments is the European evidence warrant.^[34]

Separately from the above, a dedicated convention has been drafted by a British barrister.^[35]

United Kingdom

The UK government announced that the new "UK-US Bilateral Data Access Agreement will dramatically speed up investigations and prosecutions by enabling law enforcement, with appropriate authorisation, to go directly to the tech companies to access data, rather than through governments, which can take years."

"It gives effect to the Crime (Overseas Production Orders) Act 2019, which received Royal Assent in February this year and was facilitated by the CLOUD Act in America, passed last year."

"The Agreement does not change anything about the way companies can use encryption and does not stop companies from encrypting data." On encryption, the US, UK and Australia are contacting Facebook directly ^[36]

The agreement means that UK officials can now apply to the US via the Crime (Overseas Production Orders) Act 2019.^[37]

United States

The basis for obtaining cross-border access is the Stored Communications Act as amended by the CLOUD Act. A new agreement with the UK was negotiated and it "will enter into force following a six-month Congressional review period mandated by the CLOUD Act, and the related review by UK’s Parliament."^[38]

Controversy

One of the most controversial cases brought yet to a court has been the 2013 Microsoft Corp. v. United States case.

Potential conflicts between the EU regime and the US CLOUD Act have led legal scholars Jennifer Daskal and Peter Swire to propose a US/EU agreement.^[39] Those authors have also assembled a set of FAQ seeking to address questions specifically that have arisen from the European Union in connection with the CLOUD Act.^[40]

Highlighting differences from the status quo, the European Parliament's Committee on Civil Liberties, Justice and Home Affairs commissioned a study and held a hearing; the study is available.^[41]

Europeans discussing ‘Co-operating in the Digital Age’ in the Internet Governance Forum have been critical of the EU's proposals, fearing that "companies and businesses [might] implement stronger filtering and blocking mechanisms in order to avoid sanctions or reputational damages."^[42] Later in November at the Internet Governance Forum 2019 in Berlin panelists described new initiatives in Brazil and Russia respectively. ^[43]

Some problems quite different from those in the Microsoft case alluded to above have been found and described in an article in the German weekly ZEIT dated 19 December 2018 with 167 comments on the proposed direct access tracks described above under "European Union"; the journalist Martin Klingst entitled it "Nackt per Gesetz" (Naked by Law, meaning exposed to foreign observation by domestic law).^[44]

Klingst is appalled at the thought that an EU member state like Hungary might demand his data. Apparently Katharina Barley, German Federal Minister of Justice, agrees. Germany has protections against infringements on one's "informational self-determination" that are the strongest of any EU member state. The European Arrest Warrant is another example of the national limits placed on EU rights in some conditions.

Besides, Klingst sees a contradiction between having Internet companies be the guardians of right and wrong, whereas in a new draft German law they might be punished themselves. Would other MSs respect Germany's interpretation of who maintains confidentiality? he asks rhetorically.

E-evidence could become the first case, Klingst predicts, testing whether Germany's top judges have reserved enough room for the most basic protections.

Much evidence is plain text; but some evidence is encrypted. In 2015 and 2016, another chapter was added to the long-standing encryption controversy with the FBI-Apple encryption dispute. That controversy continues in 2019 with multiple nation-states pressuring Facebook to put a backdoor in its messenger service.^[45]