Trojans and criminal investigation: is it possibile to find a balance with fundamental rights

Avv. Giovanni Battista Gallus @gbgallus
Trojans and Backdoors for investigative
purposes and fundamental rights and
freedoms: is it possible to find a balance?
International Conference
Preventing and Combating Cybercrime
Babeş-Bolyai University - Cluj-Napoca, 20-21 May, 2016
Avv. Giovanni Battista GALLUS, LL.M., Ph.D - gallus@array.eu
Hermes Center for Transparency and Digital Human Rights
Nexa Center for Internet and Society

05/20/16 3
How can you seize the
data, when
communications and
devices are encrypted?

05/20/16 4
“Equipment
interference”“Network
investigative
techniques ”
“Captatore
informatico”
"The easiest way for someone to
eavesdrop on your communications
isn’t to intercept them in transit
anymore; it’s to hack your computer.
And there’s a lot of government
hacking going on.”
Bruce Schneier, Data and Goliath,
2015

Back in 2008, we
discovered the
“Bundestrojaner”
(aka State Trojan)
Photo by Leralle

Photo by Leralle
National law of Land
Nordrhein-Westfalen,
12/20/2006 - Constitutional
Protection Act
Undercover activity
“Covertly observe [...] the
Internet, especially the covert
participation in its
communication devices and
the search for these, as well as
the clandestine access to
information-technological
systems among others by
technical means”
Paragraph 5, n. 11

German Constitutional
Court, Decision
27/2/2008
BvR 370/07 - BvR 595/07

05/20/16 8
An existing right to freedom in telecommunications was tooAn existing right to freedom in telecommunications was too
narrow; legal protections surrounding a private home includednarrow; legal protections surrounding a private home included
home computers but not laptops carried in public, electronichome computers but not laptops carried in public, electronic
organizers or mobile phones. The right to 'protection of theorganizers or mobile phones. The right to 'protection of the
private sphere' and 'informational self-determination' haveprivate sphere' and 'informational self-determination' have
protected computer users so far, but insufficiently.protected computer users so far, but insufficiently.
So the verdict in the online-surveillance case has created aSo the verdict in the online-surveillance case has created a
whole new basic right … In shorthand (it might be called) the 'ITwhole new basic right … In shorthand (it might be called) the 'IT
right'right'
Dietmar Hipp, Spiegel onlineDietmar Hipp, Spiegel online
A new fundamental
right is born

05/20/16 9
A new fundamental
right is born
Constitutional Court
creates a new
personality right: the
right to the integrity
and confidentiality
of information
technological
systems

05/20/16 10
Fast Forward 7 years

05/20/16 11
What does Galileo
do?It collects e-mails, text
messages, call history,
address books, search
history data, and
keystrokes.
It can take screenshots,
record audio to monitor
either calls or ambient
noise, snap photos, and
monitor the phone’s GPS
coordinates.

05/20/16 12
The idea is not new,
why was it so
successful?
A simple dashboard
to perform
complicated task
User friendly
interface
Good support

05/20/16 13
All over Europe...

UK Draft Investigatory
powers bill

05/20/16 15
Thorny issue: State
shopping for 0 days
and vulnerabilities

05/20/16 16
Doug Brown
Trojan horses
Encryption
Fundamental
Rights

05/20/16 17
Can fundamental
rights survive?

05/20/16 18
The Italian Supreme
Court tries to answer
The feature which allows to listen to any conversation, by turning the
microphone of the smartphone on, allows to listen to every
conversation wherever the target will bring his phone.
Such feature, according to the Court, is not admissable.
It cannot be deemed as a different tecnique for performing "normal"
interception, but it is a different tool altogether, making possible to
gather every conversation in any place the target is located.
The Court finds this feature in breach not only of the criminal
procedure Code, but also in breach of art. 15 of the Italian
Constitution (right to freedom in communications)

05/20/16 19
However...
The Italian “Corte di Cassazione a sezioni Unite”
(Supreme Court, Grand Chamber), on the 28th of
April, 2016, upheld the use of a trojan horse
“wherever the smartphone or tablet or computer
of the indicted person is”, but only with regard to
facts related to organized crime and terrorism
Can such decision be deemed compatible with
E.C.H.R. case law?

05/20/16 20
Minimum safeguards, according to the European Court of
Human Rights:
●
the nature of the offences which may give rise to an
interception order;
●
a definition of the categories of people liable to have their
telephones tapped;
●
a limit on the duration of telephone tapping;
●
the procedure to be followed for examining, using and storing
the data obtained;
●
the precautions to be taken when communicating the data to
other parties
●
the circumstances in which recordings may or must be erased
or the tapes destroyed
E.C.H.R.
Weber and Saravia v. Germany
Iordachi and others v. Moldova

We may have the
answer thanks to the
“Bundestrojaner”
Photo by Leralle
So, can fundamental
rights survive?

05/20/16 22
The approach followed by the German Constitutional Court may still be
appropriate
Very strict exceptions:
Only if there are "factual indications for a concrete danger" in a specific
case for the life, body and freedom of persons or for the foundations of the
State or the existence of humans, government agencies may use these
measures after approval by a judge.
"If there are concrete indications in the specific case that a certain measure
for gathering data will touch the core area of the conduct of private life,
it has to remain principally undone." (margin number 281)
If data from this core area is accidentally collected, it must be deleted
immediately and can not be used or forwarded in any case.
Even fundamental
rights may suffer
some limitations

05/20/16 23
Key issues
Strict rules of procedure & guidelines
Auditability
Proportionality (serious crimes)
Strict necessity
Transparency
Accountability

05/20/16 26
"51. While some governments continue with ill-conceived,
ill-advised, ill-judged, ill-timed and occasionally ill-
mannered attempts to legitimise or otherwise hang on to
disproportionate, unjustifiable privacy-intrusive
measures such as bulk collection, bulk hacking,
warrantless interception etc. other governments led, in
this case by the Netherlands and the USA have moved
more openly towards a policy of no back doors to
encryption. The SRP would encourage many more
governments to coalesce around this position.”
Report of the Special Rapporteur
on the right to privacy, Joseph A.
Cannataci, 8 march 2016

05/20/16 27
The road from
habeas corpus
to habeas data
is twisty and
dangerous

05/20/16 29
Questions?Questions?

Thank you
Avv. Giovanni Battista Gallus
gallus@array.eu @gbgallus
Unless stated otherwise,
all texts are distributed
under a Creative Commons
Attribution – non
commercial – sharealike
3.0 Unported license

Trojans and criminal investigation: is it possibile to find a balance with fundamental rights

Recomendados

Recomendados

Mais conteúdo relacionado

Semelhante a Trojans and criminal investigation: is it possibile to find a balance with fundamental rights

Semelhante a Trojans and criminal investigation: is it possibile to find a balance with fundamental rights (20)

Mais de Giovanni Battista Gallus

Mais de Giovanni Battista Gallus (11)

Último

Último (20)

Trojans and criminal investigation: is it possibile to find a balance with fundamental rights