The document discusses the balance between law enforcement's use of trojans and backdoors for investigations and fundamental rights and privacy. It outlines how a German court established a new fundamental right to privacy and integrity of IT systems. While some courts have allowed limited use of trojans against organized crime, strict rules are needed around necessity, proportionality, oversight and transparency to protect fundamental rights. Striking the right balance between security and privacy remains an ongoing challenge.
8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptx
Trojans and criminal investigation: is it possibile to find a balance with fundamental rights
1. Avv. Giovanni Battista Gallus @gbgallus
Trojans and Backdoors for investigative
purposes and fundamental rights and
freedoms: is it possible to find a balance?
International Conference
Preventing and Combating Cybercrime
Babeş-Bolyai University - Cluj-Napoca, 20-21 May, 2016
Avv. Giovanni Battista GALLUS, LL.M., Ph.D - gallus@array.eu
Hermes Center for Transparency and Digital Human Rights
Nexa Center for Internet and Society
2. 05/20/16 3
Avv. Giovanni Battista Gallus @gbgallus
How can you seize the
data, when
communications and
devices are encrypted?
3. 05/20/16 4
Avv. Giovanni Battista Gallus @gbgallus
“Equipment
interference”“Network
investigative
techniques ”
“Captatore
informatico”
"The easiest way for someone to
eavesdrop on your communications
isn’t to intercept them in transit
anymore; it’s to hack your computer.
And there’s a lot of government
hacking going on.”
Bruce Schneier, Data and Goliath,
2015
4. Avv. Giovanni Battista Gallus @gbgallus
Back in 2008, we
discovered the
“Bundestrojaner”
(aka State Trojan)
Photo by Leralle
5. Avv. Giovanni Battista Gallus @gbgallus
Photo by Leralle
National law of Land
Nordrhein-Westfalen,
12/20/2006 - Constitutional
Protection Act
Undercover activity
“Covertly observe [...] the
Internet, especially the covert
participation in its
communication devices and
the search for these, as well as
the clandestine access to
information-technological
systems among others by
technical means”
Paragraph 5, n. 11
6. Avv. Giovanni Battista Gallus @gbgallus
German Constitutional
Court, Decision
27/2/2008
BvR 370/07 - BvR 595/07
7. 05/20/16 8
Avv. Giovanni Battista Gallus @gbgallus
An existing right to freedom in telecommunications was tooAn existing right to freedom in telecommunications was too
narrow; legal protections surrounding a private home includednarrow; legal protections surrounding a private home included
home computers but not laptops carried in public, electronichome computers but not laptops carried in public, electronic
organizers or mobile phones. The right to 'protection of theorganizers or mobile phones. The right to 'protection of the
private sphere' and 'informational self-determination' haveprivate sphere' and 'informational self-determination' have
protected computer users so far, but insufficiently.protected computer users so far, but insufficiently.
So the verdict in the online-surveillance case has created aSo the verdict in the online-surveillance case has created a
whole new basic right … In shorthand (it might be called) the 'ITwhole new basic right … In shorthand (it might be called) the 'IT
right'right'
Dietmar Hipp, Spiegel onlineDietmar Hipp, Spiegel online
A new fundamental
right is born
8. 05/20/16 9
Avv. Giovanni Battista Gallus @gbgallus
A new fundamental
right is born
Constitutional Court
creates a new
personality right: the
right to the integrity
and confidentiality
of information
technological
systems
10. 05/20/16 11
Avv. Giovanni Battista Gallus @gbgallus
What does Galileo
do?It collects e-mails, text
messages, call history,
address books, search
history data, and
keystrokes.
It can take screenshots,
record audio to monitor
either calls or ambient
noise, snap photos, and
monitor the phone’s GPS
coordinates.
11. 05/20/16 12
Avv. Giovanni Battista Gallus @gbgallus
The idea is not new,
why was it so
successful?
A simple dashboard
to perform
complicated task
User friendly
interface
Good support
17. 05/20/16 18
Avv. Giovanni Battista Gallus @gbgallus
The Italian Supreme
Court tries to answer
The feature which allows to listen to any conversation, by turning the
microphone of the smartphone on, allows to listen to every
conversation wherever the target will bring his phone.
Such feature, according to the Court, is not admissable.
It cannot be deemed as a different tecnique for performing "normal"
interception, but it is a different tool altogether, making possible to
gather every conversation in any place the target is located.
The Court finds this feature in breach not only of the criminal
procedure Code, but also in breach of art. 15 of the Italian
Constitution (right to freedom in communications)
18. 05/20/16 19
Avv. Giovanni Battista Gallus @gbgallus
However...
The Italian “Corte di Cassazione a sezioni Unite”
(Supreme Court, Grand Chamber), on the 28th of
April, 2016, upheld the use of a trojan horse
“wherever the smartphone or tablet or computer
of the indicted person is”, but only with regard to
facts related to organized crime and terrorism
Can such decision be deemed compatible with
E.C.H.R. case law?
19. 05/20/16 20
Avv. Giovanni Battista Gallus @gbgallus
Minimum safeguards, according to the European Court of
Human Rights:
●
the nature of the offences which may give rise to an
interception order;
●
a definition of the categories of people liable to have their
telephones tapped;
●
a limit on the duration of telephone tapping;
●
the procedure to be followed for examining, using and storing
the data obtained;
●
the precautions to be taken when communicating the data to
other parties
●
the circumstances in which recordings may or must be erased
or the tapes destroyed
E.C.H.R.
Weber and Saravia v. Germany
Iordachi and others v. Moldova
20. Avv. Giovanni Battista Gallus @gbgallus
We may have the
answer thanks to the
“Bundestrojaner”
Photo by Leralle
So, can fundamental
rights survive?
21. 05/20/16 22
Avv. Giovanni Battista Gallus @gbgallus
The approach followed by the German Constitutional Court may still be
appropriate
Very strict exceptions:
Only if there are "factual indications for a concrete danger" in a specific
case for the life, body and freedom of persons or for the foundations of the
State or the existence of humans, government agencies may use these
measures after approval by a judge.
"If there are concrete indications in the specific case that a certain measure
for gathering data will touch the core area of the conduct of private life,
it has to remain principally undone." (margin number 281)
If data from this core area is accidentally collected, it must be deleted
immediately and can not be used or forwarded in any case.
Even fundamental
rights may suffer
some limitations
22. 05/20/16 23
Avv. Giovanni Battista Gallus @gbgallus
Key issues
Strict rules of procedure & guidelines
Auditability
Proportionality (serious crimes)
Strict necessity
Transparency
Accountability
23. 05/20/16 26
Avv. Giovanni Battista Gallus @gbgallus
"51. While some governments continue with ill-conceived,
ill-advised, ill-judged, ill-timed and occasionally ill-
mannered attempts to legitimise or otherwise hang on to
disproportionate, unjustifiable privacy-intrusive
measures such as bulk collection, bulk hacking,
warrantless interception etc. other governments led, in
this case by the Netherlands and the USA have moved
more openly towards a policy of no back doors to
encryption. The SRP would encourage many more
governments to coalesce around this position.”
Report of the Special Rapporteur
on the right to privacy, Joseph A.
Cannataci, 8 march 2016
24. 05/20/16 27
Avv. Giovanni Battista Gallus @gbgallus
The road from
habeas corpus
to habeas data
is twisty and
dangerous
26. Avv. Giovanni Battista Gallus @gbgallus
Thank you
Avv. Giovanni Battista Gallus
gallus@array.eu @gbgallus
Unless stated otherwise,
all texts are distributed
under a Creative Commons
Attribution – non
commercial – sharealike
3.0 Unported license