The home secretary wants access to specific WhatsApp messages. All such messages currently have end-to-end encryption, whether they are of the ‘I am on the 7.15, home in an hour’ type, or an exchange planning mass murder - even if there is a warrant signed by a secretary of state and a senior judge for access to the latter. Amber Rudd said: ‘Real people often prefer ease of use and a multitude of features to perfect, unbreakable security,’ in the hope that some deal for access can be worked out with the tech companies.
The cross-border element is one of the most complicated aspects of this debate. Access to cross-border electronic evidence is a problem with many threads. WhatsApp is owned by Facebook, which is based in the US and has its European headquarters in Ireland. The location of the relevant servers and de-encryption of messages, supposing they are stored, are further complications. There are similarly tangled problems with all the other major providers of messaging and email services.
The EU funded a project to investigate the state of cross-border electronic evidence, which ended last year. Without dwelling too much on the detail, there is a difference between electronic evidence, the generic name for all evidence from an electronic device, and digital evidence, which is a sub-class (‘electronic evidence which is generated or converted to a numerical format’). There are further differences between collection, preservation and use of electronic evidence, and its transfer and exchange – and then again between evidence which was always electronic, and that which has become electronic. These issues have a legal impact on cross-border access.
Following this project, the EU launched a few days ago a public consultation on the issue as it relates to criminal matters alone. It is one of the classic ‘clear-the-desk-before-the-summer-break’ consultations, but at least it has a deadline of 27 October, allowing August sun-seekers some weeks after they get back in which to complete it. Or you can complete it while in an unmoving line at an EU airport waiting to show your passport…
For those who are looking forward to the grand days after Brexit when we will have agreements with all countries, and not just the EU, it is worth looking at the data the Commission has published in its impact assessment, which forms a background to the consultation. While a request to a domestic service provider generally takes a few days at most, requests between Member States through the European Investigation Order (EIO) must be complied with within 120 days (roughly four months). Legal assistance requests to the US as the main recipient, on the other hand, take around 10 months on average, and require significant resources. In US cases, the evidence transmitted is often outdated or comes too late.
To create the best environment for the EIO to work, the EU has taken, and is taking, numerous measures, such as:
- an electronic user-friendly version of the EIO form annexed to the EIO directive, to make completion and translation of the form easier, including guidance for practitioners;
- a platform with a secure communication channel for digital exchanges of EIOs for electronic evidence and replies between EU judicial authorities, with a possible later extension of this cooperation platform to US authorities, if Member States and the US consider this useful; cooperation with private entities may also be examined;
- practical measures to improve cooperation between Member States’ authorities and U.S. authorities, such as regular technical dialogues between the Commission and the U.S. Department of Justice to improve the treatment of requests for electronic evidence;
- the extension of single points of contact for member states and IT providers, which are already in place in some Member States (for instance, Belgium, Finland, France and our own UK), and a number of providers have already established dedicated law enforcement portals to provide guidance (for instance Apple, Facebook, Google and Microsoft).
The European Investigation Order (directive 2014/41/EU) should have been implemented in the UK by 22 May 2017. The UK missed the deadline as a result of the recent election. However, the UK is not alone. The Commission reports that as of 19 May 2017, only Germany, France, Romania and Slovenia had communicated their implementing laws.
Once we are out of the EU, we will presumably be out of the EU system, and so back to long delays – unless we manage to negotiate some sort of carve-out for criminal justice, as the government wants. The prime minister herself said on this topic: ‘Our response cannot be to cooperate with one another less, but to work together more.’
If we are to have the whack of the EU behind our dealings with the IT giants on access to their data, let us hope that this carve-out happens.
Jonathan Goldsmith is Law Society Council member for EU matters and a former secretary general of the Council of Bars and Law Societies of Europe. All views expressed are personal and do not necessarily reflect the views of the Law Society Council.