www.coe.int/cybercrime

 

Strasbourg, 5 October 2015

T-CY (2015)22 E

 

Save the date / invitation

 

Cybercrime Convention Committee (T-CY) / Cloud Evidence Working Group

 

 

Monday, 30 November 2015, 11h00 - 17h00, Room 1, Palais de l’Europe

Council of Europe, Strasbourg, France

 

Note: Chatham House rules apply

 

Background

 

The T-CY established the “Cloud Evidence Group” in December 2014 in order to explore solutions for access for criminal justice purposes to evidence in the cloud, including through mutual legal assistance. In May 2015, the CEG presented a discussion paper on “challenges” for criminal justice authorities. The hearing of service providers is to help find answers to the challenges identified.

 

Purpose of the hearing

 

To seek the help of service providers regarding solutions to the challenges faced by criminal authorities when accessing evidence in a cloud context. The hearing will focus in particular on policies and practices of service providers regarding (1) the production of subscriber information and (2) direct cooperation between service providers and foreign criminal justice authorities. 

 

Interested service providers are encouraged to submit written comments on the questions below by 10 November 2015.

 

The findings of the hearing are to help the CEG devise solutions to address criminal justice challenges either through better use of existing provisions of the Budapest Convention on Cybercrime or an additional Protocol to this Convention.

 

Participants

 

• Representatives of service providers
• Members and Observers of the Cybercrime Convention Committee (T-CY)

 

Participation is free of charge but subject to registration.

 

Registration & contact

 

• Deadline for registration and submission of written comments: 10 November 2015
• Secretariat of the Cybercrime Convention Committee

Tel: +33-3-8841-2175 / Email

 

Questions to be addressed

 

Question 1:Domestic production orders for subscriber information when “offering a service on the territory” of a Party

 

Considering Article 18 paragraph 1.b. of the Budapest Convention and its explanatory report (see appendix):

 

1. When do you, as a service provider[1], consider that you are offering a service on the territory of a State?

 

2. Thus, when do you consider that you are subject to a domestic production order for subscriber information in the country where you are offering a service?

 

3. What are the criteria, conditions or circumstances that make you accept or decline such a request?

 

Question 2:Direct cooperation between criminal justice authorities (such as police, prosecutors or courts) and foreign service providers

 

Transparency reports published by many service providers indicate that service providers often respond to request for data that they receive directly from criminal justice authorities. Thus:

 

1. What are your policies and practices, criteria, and conditions for responding directly to a request for (a) subscriber, (b) traffic, and (c) content data from a foreign police agency, prosecution service or court?

 

2. What are your policies and practices regarding criminal or non-criminal emergency requests?

 

3. Do you have written guidelines for cooperation with criminal justice? If so, please make them available (please indicate whether the document should be kept restricted or confidential).

 

4. Do you require permission from the authorities of your country before responding to a request from foreign criminal justice authorities?             

 

5. What are your policies and practices regarding informing the customer of a criminal justice request? What are your requirements for not informing the customer?

 

Question 3: Would you have comments on other question raised in the Discussion Paper prepared by the Cloud Evidence Group?

 

Appendix 1: Extracts of the Budapest Convention

 

Article 18 – Production order

 

1 Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to order:

 

a     a person in its territory to submit specified computer data in that person’s possession or control, which is stored in a computer system or a computer-data storage medium; and

 

b     a service provider offering its services in the territory of the Party to submit subscriber information relating to such services in that service provider’s possession or control.

 

2 The powers and procedures referred to in this article shall be subject to Articles 14 and 15.

 

3 For the purpose of this article, the term “subscriber information” means any information contained in the form of computer data or any other form that is held by a service provider, relating to subscribers of its services other than traffic or content data and by which can be established:

 

a    the type of communication service used, the technical provisions taken thereto and the period of service;

 

b    the subscriber’s identity, postal or geographic address, telephone and other access number, billing and payment information, available on the basis of the service agreement or arrangement;

 

c    any other information on the site of the installation of communication equipment, available on the basis of the service agreement or arrangement.

 

Explanatory report: Production order (Article 18)

170. Paragraph 1 of this article calls for Parties to enable their competent authorities to compel a person in its territory to provide specified stored computer data, or a service provider offering its services in the territory of the Party to submit subscriber information. The data in question are stored or existing data, and do not include data that has not yet come into existence such as traffic data or content data related to future communications. Instead of requiring States to apply systematically coercive measures in relation to third parties, such as search and seizure of data, it is essential that States have within their domestic law alternative investigative powers that provide a less intrusive means of obtaining information relevant to criminal investigations.

171. A "production order" provides a flexible measure which law enforcement can apply in many cases, especially instead of measures that are more intrusive or more onerous. The implementation of such a procedural mechanism will also be beneficial to third party custodians of data, such as ISPs, who are often prepared to assist law enforcement authorities on a voluntary basis by providing data under their control, but who prefer an appropriate legal basis for such assistance, relieving them of any contractual or non-contractual liability.

172. The production order refers to computer data or subscriber information that are in the possession or control of a person or a service provider. The measure is applicable only to the extent that the person or service provider maintains such data or information. Some service providers, for example, do not keep records regarding the subscribers to their services.

173. Under paragraph 1(a), a Party shall ensure that its competent law enforcement authorities have the power to order a person in its territory to submit specified computer data stored in a computer system, or data storage medium that is in that person's possession or control. The term "possession or control" refers to physical possession of the data concerned in the ordering Party’s territory, and situations in which the data to be produced is outside of the person’s physical possession but the person can nonetheless freely control production of the data from within the ordering Party’s territory (for example, subject to applicable privileges, a person who is served with a production order for information stored in his or her account by means of a remote online storage service, must produce such information). At the same time, a mere technical ability to access remotely stored data (e.g. the ability of a user to access through a network link remotely stored data not within his or her legitimate control) does not necessarily constitute "control" within the meaning of this provision. In some States, the concept denominated under law as "possession" covers physical and constructive possession with sufficient breadth to meet this "possession or control" requirement.

Under paragraph 1(b), a Party shall also provide for the power to order a service provider offering services in its territory to "submit subscriber information in the service provider’s possession or control". As in paragraph 1(a), the term "possession or control" refers to subscriber information in the service provider’s physical possession and to remotely stored subscriber information under the service provider’s control (for example at a remote data storage facility provided by another company). The term "relating to such service" means that the power is to be available for the purpose of obtaining subscriber information relating to services offered in the ordering Party’s territory.

174. The conditions and safeguards referred to in paragraph 2 of the article, depending on the domestic law of each Party, may exclude privileged data or information. A Party may wish to prescribe different terms, different competent authorities and different safeguards concerning the submission of particular types of computer data or subscriber information held by particular categories of persons or service providers. For example, with respect to some types of data, such as publicly available subscriber information, a Party might permit law enforcement agents to issue such an order where in other situations a court order could be required. On the other hand, in some situations a Party might require, or be mandated by human rights safeguards to require that a production order be issued only by judicial authorities in order to be able to obtain certain types of data. Parties may wish to limit the disclosure of this data for law enforcement purposes to situations where a production order to disclose such information has been issued by judicial authorities. The proportionality principle also provides some flexibility in relation to the application of the measure, for instance in many States in order to exclude its application in minor cases.

175. A further consideration for Parties is the possible inclusion of measures concerning confidentiality. The provision does not contain a specific reference to confidentiality, in order to maintain the parallel with the non-electronic world where confidentiality is not imposed in general regarding production orders. However, in the electronic, particularly on-line, world a production order can sometimes be employed as a preliminary measure in the investigation, preceding further measures such as search and seizure or real-time interception of other data. Confidentiality could be essential for the success of the investigation.

176. With respect to the modalities of production, Parties could establish obligations that the specified computer data or subscriber information must be produced in the manner specified in the order. This could include reference to a time period within which disclosure must be made, or to form, such as that the data or information be provided in "plain text", on-line or on a paper print-out or on a diskette.

177. "Subscriber information" is defined in paragraph 3. In principle, it refers to any information held by the administration of a service provider relating to a subscriber to its services. Subscriber information may be contained in the form of computer data or any other form, such as paper records. As subscriber information includes forms of data other than just computer data, a special provision has been included in the article to address this type of information. "Subscriber" is intended to include a broad range of service provider clients, from persons holding paid subscriptions, to those paying on a per-use basis, to those receiving free services. It also includes information concerning persons entitled to use the subscriber’s account.

178. In the course of a criminal investigation, subscriber information may be needed primarily in two specific situations. First, subscriber information is needed to identify which services and related technical measures have been used or are being used by a subscriber, such as the type of telephone service used (e.g., mobile), type of other associated services used (e.g., call forwarding, voice-mail, etc.), telephone number or other technical address (e.g., e-mail address). Second, when a technical address is known, subscriber information is needed in order to assist in establishing the identity of the person concerned. Other subscriber information, such as commercial information about billing and payment records of the subscriber may also be relevant to criminal investigations, especially where the crime under investigation involves computer fraud or other economic crimes.

179. Therefore, subscriber information includes various types of information about the use of a service and the user of that service. With respect to the use of the service, the term means any information, other than traffic or content data, by which can be established the type of communication service used, the technical provisions related thereto, and the period of time during which the person subscribed to the service. The term ‘technical provisions’ includes all measures taken to enable a subscriber to enjoy the communication service offered. Such provisions include the reservation of a technical number or address (telephone number, web site address or domain name, e-mail address, etc.), as well as the provision and registration of communication equipment used by the subscriber, such as telephone devices, call centers or LANs (local area networks).

180. Subscriber information is not limited to information directly related to the use of the communication service. It also means any information, other than traffic data or content data, by which can be established the user’s identity, postal or geographic address, telephone and other access number, and billing and payment information, which is available on the basis of the service agreement or arrangement between the subscriber and the service provider. It also means any other information, other than traffic data or content data, concerning the site or location where the communication equipment is installed, which is available on the basis of the service agreement or arrangement. This latter information may only be relevant in practical terms where the equipment is not portable, but knowledge as to the portability or purported location of the equipment (on the basis of the information provided according to the service agreement or arrangement) can be instrumental to an investigation.

181. However, this article should not be understood as to impose an obligation on service providers to keep records of their subscribers, nor would it require service providers to ensure the correctness of such information. Thus, a service provider is not obliged to register identity information of users of so-called prepaid cards for mobile telephone services. Nor is it obliged to verify the identity of the subscribers or to resist the use of pseudonyms by users of its services.

182. As the powers and procedures in this Section are for the purpose of specific criminal investigations or proceedings (Article 14), production orders are to be used in individual cases concerning, usually, particular subscribers. For example, on the basis of the provision of a particular name mentioned in the production order, a particular associated telephone number or e-mail address may be requested. On the basis of a particular telephone number or e-mail address, the name and address of the subscriber concerned may be ordered. The provision does not authorise Parties to issue a legal order to disclose indiscriminate amounts of the service provider’s subscriber information about groups of subscribers e.g. for the purpose of data-mining.

183. The reference to a "service agreement or arrangement" should be interpreted in a broad sense and includes any kind of relationship on the basis of which a client uses the provider’s services.

Appendix 2: Background documents

 

T-CY(2015)10 Criminal justice access to data in the cloud: challenges https://rm.coe.int/CoERMPublicCommonSearchServices/sso/SSODisplayDCTMContent?documentId=0900001680304b59

 

T-CY assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, https://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=09000016802e726c

 

Terms of reference of the Cloud Evidence Group, http://www.coe.int/en/web/cybercrime/ceg

 

Conclusions of the Octopus conference 2015: https://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=0900001680319026

 

Transborder Group: http://www.coe.int/en/web/cybercrime/tb

 

European Court of Justice, Google v. Spain: http://curia.europa.eu/jcms/upload/docs/application/pdf/2014-05/cp140070en.pdf

 

Yahoo Case: http://www.stibbe.com/en/news/2014/july/benelux-ict-law-newsletter-49-court-of-appeal-of-antwerp-confirms-yahoo-obligation

 

[1] The Budapest Convention applies a broad concept covering all types of service providers:

Article 1 – Definitions

For the purposes of this Convention:

c    "service provider" means:

i    any public or private entity that provides to users of its service the ability to communicate by means of a computer system, and

ii     any other entity that processes or stores computer data on behalf of such communication service or users of such service.