The controversial EU High-Level Group on Data Access for Effective Law Enforcement (HLG) has published its final report. In the spirit of its separate recommendation paper, it focuses on “legitimate” access to data from messenger services like WhatsApp, Signal, Telegram or Threema. According to the report, these “over the top” providers (OTT), which provide services for users to communicate directly over the Internet, “create additional challenges for law enforcement officials.” At both national and EU level, they “often feel that they are not bound by the same obligations as traditional communications providers”.
Advertisement
difficult legal situation
OTT providers fall within the scope of the European Electronic Communications Code, writes the HLG, also known as the “Going Dark” working group. in their summaryBut they are often based outside the EU and therefore not subject to the usual restrictions. This creates uncertainty regarding their requirements for data storage. While in most cases traditional communication providers store certain information such as IP addresses along with port numbers for business purposes from which users can be identified, this is not the case with OTT providers.
Additionally, according to EU prosecutors, the increasing volume of inquiries received by providers is contributing to them being delayed or rejected. One reason for this is “specific business model decisions” taken by operators, such as deliberately saving data. The sparse cooperation is also due to the limited number of mechanisms for cooperation between law enforcement officials and private companies.
HLG also observed that many new technology providers and digital players such as car manufacturers and AI systems were creating and processing metadata using large language models. These can also provide information about criminal activities. Despite their growing importance, they are not currently bound by the obligation to store data.
Sanctions such as bans were called for
In practice, ordinary OTT services have not developed any technical mechanisms “to respond to requests from the authorities of EU Member States for lawful monitoring”, experts complain. In contrast, Great Britain has created a framework for lawful monitoring of OTT communications with the Investigatory Powers Act, which also applies to services based there due to the adoption of a data access agreement with the USA. According to the relevant British authorities, this makes a “significant difference to crime prevention and investigation”.
The Group therefore urges to ensure that Member States can impose sanctions on uncooperative providers of electronic and other communications services. The tools should include “restricting their ability to trade in the EU market” – such as blocks at the network or app store level – as well as prison sentences for those responsible. Enhanced cooperation between law enforcement authorities and service providers, which has long been sought by HLG and EU countries, “will improve the situation to some extent”. But this should also be kept within the ambit of law.
“Lawful access by design”
The EU Commission established the working group last year at the request of member states. The starting point was the ongoing crypto war and the related debate about the “going dark” scenario, according to which increased end-to-end encryption threatens to blind and deafen investigators. Scientists consider it a myth, but the police and judiciary want to see what they have identified as the “bad problem” of encryption addressed.
At a meeting with representatives of the European Union last year, representatives of law enforcement and judicial authorities from the United States called for access to unencrypted communications data to be integrated directly into the technology using the principle of “lawful access by design.” A major cyber attack on such monitoring interfaces from US providers shows that this approach can have negative consequences.
Real-time access to generated data
The purpose of the final report is to “describe in detail the challenges identified by the experts and present options for continuing the work and implementing the recommendations”. Accordingly, there is a need for “harmonized and consistent data retention laws.” The EU should also issue a recommendation on real-time access to stored connection and location information without any reason by 2025. In general, “legitimate surveillance is vital to the effective investigation and prosecution of organized crime and terrorist groups.”
“Encrypting data by default on devices is a significant challenge,” it continues. Investigators often have no choice but to exploit vulnerabilities. However, such approaches must be reconciled with the goal of ensuring more secure hardware and software. Ultimately, there remains an appeal to force service providers to release communications data in plain text. But there’s no such thing as being a little encrypted, just like there’s no such thing as being a little pregnant. The EU Council in July promised to seek “legally and technically secure solutions for access to encrypted electronic communications in individual cases” subject to court orders to prosecute serious crimes.
(mho)
