I&J contributed

Published on
May 23, 2022

I&JPN co-hosted a session on "How much of your data can be used against you in criminal investigations? A conversation on electronic evidence and types of user data" with the Center for Democracy & Technology (CDT), Cross-Border Data Forum, Electronic Frontier Foundation (EFF) and the Government of Canada on June 8, 2022 at 18:00 UTC.

This session raised awareness on the limitations of the current system, built upon the vestiges of a bygone telco era. It articulated the need for a purpose-oriented and rights-respecting framework through the framing of different perspectives by interventions from Civil Society, Government and Industry actors. 


Ajith Francis, Director, Data & Jurisdiction Program, Internet & Jurisdiction Policy Network


Anitha Ibrahim, AWS Public Policy - Data Protection & Cybersecurity, Amazon Web Services

Greg Nojeim, Senior Counsel and Director of the Freedom, Security & Technology Project, Center for Democracy & Technology

Katitza Rodriguez, Policy Director for Global Privacy, EFF

- Fernanda Domingos, Federal Prosecutor, Federal Prosecutor's Office of the State of São Paulo

About the session

Criminal investigations increasingly rely on so-called “electronic evidence”, i.e. the gamut of user data collected by online services. Are the categories used in legislation still the right ones to ensure proper human rights protections?

Three categories, corresponding to different levels of protection, and largely descending from historic practices in relation to telecom operators, are routinely used:

- Subscriber data (towards identifying users as suspects or victims), 

- Content data (the substance of communication between users), and 

- Traffic and/or transactional data (consisting of timestamps, log of IP addresses, source and destination of communications, etc).

As digital services become ubiquitous, the diversity of user data collected by service providers has grown exponentially. Thus many more types of user data can be requested or obtained. This gives rise to two important questions: 

1. Are the existing protections attached to the three categories sufficient with respect to new types of data (eg: a fitbit device collecting users’ heart-rate and sleep patterns)?

2. More generally, should any type of user data collected by a Service Provider be requestable as part of criminal investigations and construed as electronic evidence? (eg: behavioural and preference user profiles developed by social media platforms to feed into predictive modelling algorithms).