Criminal investigations increasingly rely on so-called “electronic evidence”, i.e. the gamut of user data collected by online services.
However, are the categories used in legislation sufficient to ensure proper human rights protections, especially when it comes to new types of data like biometric, iot or even XR data? This was the question asked at a RightsCon 2022 session organized by I&JPN, the Center for Democracy & Technology (CDT), Cross-Border Data Forum, Electronic Frontier Foundation (EFF), and the Government of Canada on June 8, 2022.
Speakers raised important questions relating to data used in criminal investigations and identified three key challenges:
1. Current legal frameworks stem from a different time,
2. There is a need to ensure adequate privacy and data protection thresholds, even for electronic evidence,
3. Users need better awareness of how their data is being used.
Ajith Francis, Director of the Data & Jurisdiction Program, moderated the session and encouraged speakers to consider scalable frameworks that can be used to factor new types of data and even questioned whether all types of data should be available for law enforcement investigations.
Sharing experience from Brazil Federal Prosecutor at the Federal Prosecutor's Office of the State of São Paulo, Fernanda Domingos explained the thresholds of when a judicial order is needed in Brazil. “In general the IP address which can reveal location needs a judicial order” she said, as an example.
Providing the views of a service provider, Anitha Ibrahim from Amazon Web Services discussed the concept of exclusion and how to look at the quantity and quality of data not only in isolation but fitting into a bigger picture. Ms. Ibrahim highlighted the need to have a holistic perspective and encouraged stakeholders to come together to unpack and discuss these issues “It's challenging to navigate the different legal regimes,” she said.
Greg Nojeim, Senior Counsel and Director of the Freedom, Security & Technology Project at the Center for Democracy & Technology highlighted how some types of data are protected from criminal investigations in the offline world and this should be considered in the online world. “There are some precedents that say data is out of bounds”, he said.
Emphasizing the need to factor in human rights, Katitza Rodriguez, Policy Director for Global Privacy, EFF highlighted that there is certain data that people leave behind even without thinking about it or knowing. “Sensors collect a lot of data, which when merged with other data, can infer a lot of very personal information”, she said.
On the occasion of the session, I&JPN released a new Framing brief on Categories in Electronic Evidence. The resource includes a set of commonly used categories of electronic evidence, namely subscriber information, traffic, or access and transactional data, and content data. It also provides an overview of the investigation trends challenging current categorization, and finally, proposes a refreshed and forward-thinking analysis of the issues at hand.
To conclude the discussion speakers underscored key priority areas to tackle for moving forward. Key takeaways included:
National rules must determine which type of subscriber information and other types of evidence should have higher protections.
More discussion is needed on the process of setting these standards in a cross-border context.
Ensuring that there are robust mechanisms to challenge those requests where it is appropriate.
Communication and privacy have to intersect with data protection toolkits and human rights standards.
Progress is needed and as we look for solutions we need to be guided by human rights concepts.
A clear framework and rules are needed on how data is used in criminal investigations.
Without adequate protection at the national level, it will be harder for law enforcement to prosecute crimes and countries to cooperate on transnational issues.
Sharing the work of the I&JPN Contact Group on cross-border access to electronic evidence, Ajith Francis, Director of the Data & Jurisdiction Program encouraged participants to consult the I&JPN Framing brief on Categories in Electronic Evidence as well as the Toolkit on Cross-border Access to Electronic Evidence which was released in 2021. “We are at the beginning of these conversations globally and they need to be multistakeholder and encourage cross-border principles,” he said.
