The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.
***
>> MODERATOR: Welcome to IGF 2022, WS 403, Cross‑Border Data Sharing for Public Safety. This workshop is co‑organized by Chatham House and Oxford Information Labs. I'm Emily Taylor, and I'm at the Oxford Information Labs. If you are liking to make an intervention, and joining online, use the raise and function, which you find under the reactions button at the bottom of the screen.
If you are at the venue, our colleague Jasmine is in the room and she'll let us know if you would like to take the floor. Jasmine, wave to people and let us know when you want to take the mic. Finally, our speaker from access now, Javier Pallero is unfortunately unable to join us today. So we're particularly welcoming inputs from Civil Society members of the audience today.
Part of the Internet's fundamental premise is enabling the free flow of data and across borders. We have seen emergence of cybercrime. Before it was analog and happened locally. The structures reflected that.
In the digital age, cybercrime is inherently international in nature and requires the sharing of data across jurisdictional borders while there are signs of progress, existing frameworks today don't yet adequately cover all aspects of cross‑border data transfers and tensions still loom about the implications for the integrity and protection of citizens' privacy. So today, we're going to look at the current state of affairs from multiple perspectives, what is happening in the landscape, and examine the respective roles of the different stakeholders. This is a very highly, legally technical area. The terminology can be quite baffling and confusing, even for people who are expert.
So to guide us on this journey, I would like to welcome a wonderful panel of experts and communicators that will kick us off with a brief, five‑minute introduction ‑‑ an impossible task ‑‑ to pack all of the information you want to share into such a short time. The initial remarks I hope will set the scene and enable a wider conversation. We really encourage people who are in the room and in the Zoom room to participate.
So without further ado can I call on the first speaker, Marjorie Buchser, the Executive Director of the initiative at Chatham House, you are leading a project on cross‑border public safety, can you tell us about the project and pain points emerging through your work? Thank you.
>> Marjorie Buchser: Yes, indeed, thank you, Emily. The point is to broaden the debate about cross‑border data. I would like to step back and address the question of why do we think this question requires a multistakeholder group like here in IGF to have an in‑depth discussion about it? As you say, Emily, it is undeniably a technical and legal area of discussion. It is high entry and not so accessible for broader public. I think we should go beyond the technical discussion about it. Because there are really fundamental issues relating to the data cross‑border data discussion that speaks to broader challenges of technology governance and ultimately what type of digital society we ultimately want to create. So as you say in the introduction, Emily, the reason why it has become a challenge is because human behaviors and practices have changed tremendously in the last decade. As more actions move online so has crime.
Most crime, as you say, has a digital dimension. So therefore have digital trace. The issue is that the nature of the trace. How it is collected, how it is stored, wanted, is different from 50 or more than that ago.
So the reality, the data, digital evidence that is useful for criminal investigation is often store ‑‑ it is the case if not in U.S. or China outside of the country where it was collected and often owned by private actors, it is your email, text, messages. That is basically data that Microsoft, Google, Amazon, Meta, and others will collect.
And these changes have profound implication in the governance system. First of all, it is much more complex and international. And you have the emergence of important actors like large online platform, which have significance in the current data architecture.
It is problematic because of the governance ‑‑ not only the legal framework, but the institution, the networks, the connection around the topic have not evolved significantly enough to reflect the changes. It is still national infrastructure and architecture that is trying to drive this discussion. It is often actors that are not used to working together. Police forces are not used to calling Microsoft to ask for data. That leads to friction, information asymmetry and sometimes gaps in trust. States, I think rightly so, are uncomfortable to discuss issues of public safety that are fundamental to sovereign functions.
I think the point is, the benefit, there is a clear benefit for all citizen and victim for authorities to have access to all of the data and evidence that could be available to them to solve and resolve crime.
And this is why it is an important topic. It is basically about the plans of using digital evidence as a tool to solve legitimate criminal investigation. But also doing so in a way that is protecting privacy and personal data. Because of course, the flip side of it is increased resilience, abuse and collection of data in dystopian States.
The problem is that disbalance shouldn't only be discussed but does involve civil engagement. It is about social contract. If you provide public safety, what other requirement in principle will lead to what you do. That is why we thought it was really important to have an IGF session on that topic and engage a broader set of constituencies to discuss it with us.
I will pause that. Thank you, Emily for a great start.
>> MODERATOR: Thank you for that really concise introduction Marjorie. And the sort of, the way you describe it, it is not describing with the analogue structure, as behaviors change, we see the strains in the actors that are not used to communicating now have to do so.
This brings us to Aisling Kelly that is with law enforcement at Microsoft. You have seen this issue from both sides, if you like, first as a public prosecutor and now within one of the major platforms that hold a lot of the data everybody wants.
Can you just give us an introduction to the broad challenges and tensions in transnational data sharing, from your perspectives?
>> Aisling Kelly: Yes, thanks, Emily. It is great to be on the panel. I'm sad I can't be in Addis. To give people an understanding online. My role is leading the law enforcement team in Europe and working with the requests from 50‑plus countries. We're the team that review and process the orders around the world.
My previous role was as a public prosecutor, I think that informed where I'm coming from. Even the title of the workshop is something traditional law enforcement would have difficulty signing up for. They don't think along the lines of cross‑border data sharing. They don't call it data, they call it evidence. It is barriers in terms of the language we use around this law. It is as you said in the beginning, a specialist topic.
As a practitioner in law enforcement for many years, there is a lag time in understanding what this data is and how to access it. For the most part if the phone is seized at the scene of the crime. It is downloading the phone. The evidence on the device is downloaded. The data resident in the Cloud, that is definitely an early stage of understanding in global law enforcement. They understand the data is on the phone, but the reality is that data isn't necessarily all on the phone, as we know. It is dissipated throughout the world. You could have 20 or 50 apps on your phone and that data may be in a number of countries, could be in three or four. Or as they say sharded across the world, tiny bits in different countries, depending on where the apps are based.
It is very important, I suppose, to start the conversation that law enforcement is coming at it from a different language.
Like anyone, if you are looking at building a relationship between people, I'm thinking of the famous film dancing with wolves with Kevin Costner, you need to build with each other before you can deal with the problems.
I think, you know, stuff ‑‑ understanding that ‑‑ for me, I think cross‑border data sharing, you are looking at the traditional methods of cross‑border data sharing and how obviously they're unfit in the modern world. And how the system was designed to protect sovereignty and stop one country's law enforcement agents going into another country's sovereign territory and interfering with sensitive matters.
We saw that in our own country in Ireland, where the Chinese Government set up a police station in our state. And the entire country went absolutely nuts. The explanation was it was there as an advisory service for a particular district in China where a lot of people came from and ended in Ireland.
But that was enough to make the front‑page news in the country and enough to get intervention within 48 hours from the Minister of Justice to shut that down. It shows you what a hot topic sovereignty is still. Those are to protect sovereignty, the newer instruments we're seeing developed over the course of the second edition protocol to Budapest or indeed the draft U.N. cybercrime Treaty, they're coming at it from a different perspective of what to protect and privacy and data protection rights way up the ladder, rather than sovereignty.
We need to think about what is it for. To sum up, what is the consequences of not solving these problems? I fundamentally believe it is further lawlessness. If we don't solve the problems, there is no accountability. As Charles Dickens said about hard times when they were talking about a bank robbery. If there were no consequences we would all go in for banks. We would all rob a bank if we thought there were no consequence. If we don't have consequences there will be further lawlessness. We have seen that in the online safety, where the anonymity has bred a lawlessness on the Internet.
Happy to jump in with further questions. Thanks.
>> MODERATOR: Thank you very much Aisling Kelly, yeah, thanks for mentioning Charles Dickens as well. I think sometimes I think ‑‑ to your point about language. This very excluding language and more newcomers to the area. MLAT is a Mutual Legal Assistance Treaty. It is for evidence or data sharing. A lot of the law reforms that happened in the 19th century in the U.K. happened because of one of Charles Dickens' novels, this time, bleak house that showed how inefficient the legal system had become. It sometimes teal feel like we're in the same territory.
Bertrand de La Chapelle, great to have you on the panel. Executive Director and co‑founder of the Internet and jurisdiction policy network. Bertrand, I feel like you spotted this issue many, many years ago. And highlighted the need for almost like we have interoperable standards and technology, we need interoperable laws as well, otherwise we'll end up in a mess. How's that going at the moment, from your perspective?
>> Bertrand de La Chapelle: Well, thank you, Emily. It is a topic, you are absolutely right that was started basically back in 2012, when I co‑created the Internet and jurisdiction policy network. This is about the relationship between public authorities on the one hand. And large companies on the other hand.
It is a larger question. But what I want to help people understand is what it means on a concrete basis for everyday life.
Electronic evidence or digital evidence is needed for cybercrime and things happening online, it is needed for every investigation. A murder, theft, or any kind of illegal activity, there is a need to understand better what used to be documents, papers, things we were taken in the safe or in doing an inquiry, investigation with a warrant in a particular house.
Today, most of the elements are available online or on digital form. And I think as was said, in most cases it is stored by large companies that can be Cloud providers or other service providers. For instance, we use email and a lot of the emails are stored by the event provider.
The problem is that as was mentioned before and I think it is really important, for every single investigation, there is a need to have access to this kind of information. And in most cases because of the distribution of the international actors in the digital space, those actors are located outside of the country.
The mechanisms established first originally were twofold, when you had to deal with a Telco operator in your country, it was with your international laws, it was in your territory and your sovereignty.
If on the other hand, the papers you wanted to get or find were in a safe that was in another country, then it made complete sense to have the obligation of following at least the modicum of rules of that country like with a German law enforcement investigator wanted to find documents in a safe in the U.S., it made sense that the U.S. laws were somewhat involved. I don't get into the details. That is the purpose of the mutual legal assistance Treaties.
The problem is today, using MLAT you don't function for situations where everything is entirely local except the operator that hosts the data. So fundamentally, you have a crime in Malta. The victim are in Malta. The suspect is in Malta. It is the investigation done by the law authorities of Malta, but because the email was managed by Google, for Gmail, there is the involvement of an operator located somewhere else. It is important to understand that. We're talking about hundreds of thousands if not millions of investigations that are happening all around the world. This involves a lot of cross‑border situations.
The MLAT situation is not appropriate. There is no reason to involve fully another Government in an investigation that is completely local.
But at the same time, and what is really important here, is there are two discourses. And both are true. One is there is a problem of efficiency for investigations. Because in the current MLAT, the Mutual Legal Assistance Treaty, you can wait up to two years to get the information for your investigation. That is completely unmanageable.
But there is another ‑‑ there is a desire to have something more efficient, that is discourse number one.
The second discourse, which is as important is that there is a disparity of legal protections around the world. And that we cannot allow just the solution that would say I'm in country X. Not mentioning any country. I'm in country X. I have my national law that can be perfect or really bad. And just because I follow my national law I should have access to data stored somewhere else. It can be in a country that is repressing dissent, that is restricting, or more simply using criminal investigation to stamp down political discourse.
So the two discourses have to be reconciled so we establish due process mechanisms to ensure more efficient system, but with all due protection for human rights and privacy, et cetera. And it is a major problem because we have the patchwork of jurisdictions all around the world. As mentioned before, there are few initiatives that have been taken that we will discuss further.
I wanted to present the landscape, and make people understand why we're talking about this. And looking at the notion of direct requests that would be made from the law enforcement in one country to companies in another.
I insist on the word direct requests because there is a confusion with the notion of direct access. What we're talking about is very formal request with procedures that are being sent to somebody in another country. Viola.
>> MODERATOR: Viola, merci. It sounds so easy and so simple. You know, we want efficiency, due process, safeguards for human rights. You can say it in a sentence, but it is very, very difficult to achieve in practice.
Let me now turn to our fourth speaker, Dr. Theodore Christakis Professor of European law and senior Fellow at the cross‑border data Forum among many other roles. Theodore, you are a leading legal scholar in this area. You have been involved and living some of the key processes to try and resolve the road blocks. Can you give an overview particularly of the progress being made in the respective Forums for a general audience?
You know, cross‑border data sharing or evidence sharing for dummies type of approach, if you will. In five minutes. Not at all an easy ask, but thank you for making the attempt for us today.
>> Theodore Christakis: Thank you, Emily. Thanks to all of the previous speakers that made it much easier for me. Because they brilliantly, all of them explained the problems, the context, the landscape. As a logical follow‑up, I will give you ‑‑ I will not speak about everything here. I will give a very precise example of how we tried or were about to try to solve the issues at the level of the European Union.
I will talk to you about the project of the e‑evidence regulation. The electronic evidence. We call it e‑evidence regulation. It is interesting because all of the other speakers talked about the issues with the access to data that is important for enforcement. And we need them in more than 85% of criminal investigations. But in more than 55% of criminal investigations as said, this electronic evidence is in another jurisdiction. So the European Union realize this. What we have not said is we acknowledge the mechanisms, where you request the data from a company, but without having any way to combat, there is no obligation. Sometimes the company, especially in Europe if it is about subscriber data, who posted something illegal on Twitter. Put Twitter aside. But they will give this information. This is problematic, it is not regulated, it creates problems, there is no obligations.
Among other things in order to deal with all of the problems, including the lowness, of the voluntary action, the European Union propose 4.5 years ago, the e‑evidence regulation to do what Bertrand said, which is to try among European Member States to make the possibility to request data, which is stored by an operator in another country, in another member country.
It was considered so important, this project, for all the reasons you said. It started six years ago, thinking about this. Four years and a half, still it is not over.
When it is new yesterday they announced a political compromise. So we have here a great hope that this will be adopted.
But one could ask why it was so important? We know the problem. Why took four and a half years of the negotiation? As I wrote in an Article, EU the slate, the European Parliament and European Union were late in notification. There were other problems like human rights problems, I cannot enter into the details of all of the problems. They would not each agree about the title. The commission were saying e‑evidence, the other was saying electronic information. Thing Commission has two, the directive and Parliament wanted only one.
They disagree on everything but the need to adopt the project. Everybody agreed on this, but all the other things they disagree.
Another that we will not discuss here, is the role of the service provider. They're given ‑‑ like you said, all of you, when you make requests to companies, one is how to avoid abuse or human rights. They want to protect their clients.
In the commission project there was grounded for reshuffle from the service provider, if they considered the violation of the Charters of the human rights of European Union. Everybody started shouting. This is terrible. If you take it from States to service providers, this is turning service providers into judicial authorities and moving to privatization of law enforcement. In the text of the Council and Parliament removed powers to service providers. But who will control. I will finish with this ‑‑ I will be two more minutes. The commission's idea was that you don't need if you sent request from Germany to another. ‑‑ they won't send the physical document to Poland.
We're a European Union, we should function like the United States, so when for instance ‑‑ and member makes a request to a provider of another member country, you don't need to involve the other member country, there is absolute mutual trust. Mutual trust between the European Union member countries. There is loads of criminal procedure. We think mutual trust.
This is a concept which is challenged, especially by all of the countries like Poland, Hungary or rule of law. It is how do we deal with this? This is why I said it was the notification. The idea is when a country like for instance, Poland wants to issue a request, they should notify another country. Everybody would agree we should notify another country and give essentially the powers to another current. But which one? There was a huge debate.
It was interesting. What I proposed is the country to notify should be the country of residence of the person. If like Bertrand said, everything is happening in Malta. The victim is in Malta. The person ‑‑ the suspect is in Malta. Everything in Malta. The service provider is in Ireland, don't notify anybody.
If a journalist in Germany or a woman had an abortion ‑‑ then, I said it made sense to request the permission of Germany. This is very rare. This concern only 7% of situations. So not effect ‑‑ I finish, Emily. It would not affect in any way the efficiency of the regulation.
The Council finally the Parliament ‑‑ it was presented to the Parliament, but the Parliament did not follow this for a series of reasons I can explain later. Instead they said, you know, this is a compromise found yesterday. They said yes the resident criterion is very important. In my example if Poland wants to request the data for instance, of the Germany citizen in Berlin, they will not notify Germany, they will have to notify somebody, but not notify Ireland. Why? Because Google is there. And it is supposed to be Ireland that will operate this control.
I think this is problematic. You know, we are accused in the GDPR Ireland of not dealing with the compliance and suddenly Ireland will play the role of superman of human rights. Respecting human rights and law enforcement. This could be problematic. Thank you very much.
>> MODERATOR: Thank you very much. I appreciate that worked example. You know, from the outside of this problem, you think, well, agreement between EU Member States should be absolutely plain sailing. You are describing a six year event with unsatisfactory compromise and difficult questions. The obvious one ‑‑ it would be interesting to hear Aisling Kelly's view. Are resources going to flow into Ireland as a result of this? It does come down to this, doesn't it Theodore, is Ireland and Luxemburg are finding themselves in the center of things.
These are limited resource Member States. I would like to open the floor for questions. Please, if you are in the room, I know that several people join would in the physical room while we were hearing from the initial speakers. Welcome to the session on Cross‑Border Data Sharing for Public Safety or evidence sharing and mutual cooperation.
Yasmin is the onsite moderator. Let people know who you are. Or let us know in chat if somebody wants to take the floor. Likewise, if you joined us online, please do raise your hand.
So I would just like to start ‑‑ come back to you Aisling Kelly, if I may. We heard it already. Several people mentioned the MLAT system. The Mutual Legal Assistance Treaty. The mechanism we have, for better or worse. They moan about how broken it is.
We have also talked about protect of rights and human rights. To what extent do MLAT if working perfectly are they are way of protecting human rights and ensuring the safeguards we all acknowledge is so important?
>> Aisling Kelly: I think in theory, they are. The text of the MLAT Treaties, either bilateral or multilateral Treaties will include provisions saying it will only be legitimate heard from a court which is properly constituted which will be recognized. Then what happens for checks and balances is that the incoming MLAT request from say Tunisia, in this example the country is Ireland. And they check that the system is done validly and give it to the sovereign police force to transpose it to a domestic criminal order and serve it on the person.
In theory, there are a lot of set of eyes on this. That is fundamentally to be welcomed. Any new system going forward, I feel personally, the more sets of eyes on the particular request, the better it is for human rights.
The reality of that I think is not so I, I suppose golden. You can have a stretched judicial service or stretched Ministry of Justice or stretched police service and it becomes then for them an additional task outside of their ordinary investigations to complete. The impetus is why should I help Tunisia in this instance? Because I have 20 cases all stacked on my desk. And these are domestic crimes, where there is a necessity to see that things are moving. I don't know whether or not you could qualitatively say that there is an improvement of human rights in the MLAT process. I think it is designed to have that. I don't know if the outcome at the end of the day is that everyone's human rights are respected.
>> MODERATOR: Thank you very much. I can see from Yasmin that we have some inputs from the floor. I would like to give the room the floor next, if you would like. And hear from that. Bertrand, I'm aware you want to which in. We've also got a question from Greg from CDT on the chat. So Greg, if you can get your video and microphone lined up, what I will do is go to Yasmin first, then Bertrand and then to you and very much welcome any inputs from the floor or Zoom room. Yasmin, the floor is yours. I think you are muted.
>> Testing audio.
>> Good. Hello, Emily, my name is Gabrielle. I'm a law enforcement officer from the United States.
>> MODERATOR: Hello.
>> ATTENDEE: Hi. I'm speaking in my personal capacity and asking in personal capacity. It is my experience in my country, requests for information that might infringe on privacy rights seem to require more need for the questions. Open searches, little review. Asking for the simple thing who is the subscribe, what their name is that might require court authority. If I ask for contents of communication that might require significant review. My question to Theodore, how is that in the evidentiary data flow across borders.
>> MODERATOR: Thank you for that point. I know Bertrand wants to come in. It was posed to you Theodore, but equally to anybody else on the panel that wants to contribute on this. So shall we go Theodore Bertrand and please Aisling Kelly and Marjorie Buchser feel free to contribute.
>> Theodore Christakis: Yeah, you had a question in the chat about I will, for the persons who are there, what is the logic of requires ‑‑
>> MODERATOR: Theodore, shall we come to that in a second? Because I'm going to give Greg the floor to pose that question and we can talk about that. So to Gabrielle's question about the granularity of oversight. You know, depending on the sensitivity of the request. And whether the negotiations are really getting their arms around that complexity. Or whether we are still arguing about, you know, what to call things or gets to be boss?
>> Theodore Christakis: Yeah, there was a disagreement there, also, of course, about what kind of data will be covered. And what will be the regime, legal regime for each kind of data.
Whether there was a disagreement, quickly, I won't enter into the details. I will post probably tomorrow a very detailed analysis of the evidence of all the developments including this question.
If I can put it very quickly, the commission proposed in Italy four different categories of data. Normally, you know, we are all thinking around three categories, which you said are subscriber data, who is hiding behind the social media account or an email account. The second category is what we call globally Meta data, which includes all kind of communications, data traffic, data location, for instance, to an email account, specific email account communicated with which email accounts. We are not ‑‑ just to find out what is the web of the persons who communicated in order to find if there is a connection, of course.
If the suspect sent the message to the victim, for instance, in the law enforcement negotiation. Or if the suspect sent a message to something that is accomplished for the crime. This is Meta data and the content data which is the content of the email. The Commission broke this to four categories, subscriber, action, and content data. It created a lot of reactions. The compromise was we go back to the well-known subscriber, Meta data and content data. To answer the question now, after this if you want context, we have a different regime. A different regime concerning what you said which is what will be the requirements? For instance, do we need an initial authorization for Meta data and content data and not subscriber data ‑‑ I have not yet the final text. I'm just guessing, it is probable that for subscriber data, the prosecutor can request them without judicial notification.
There was huge debate, the Parliament wanted notification to the other state, to the enforcing state. To go back to the other person later. Finally the compromise found is a notification to the enforcing state where it is located only for Meta data and content data.
>> MODERATOR: Thank you very much. Bertrand, thank you for your patience. I know you were waiting to come in for a little while. If you want to address Gabrielle's question. Or make another intervention.
>> Bertrand de La Chapelle: I will comment quickly on a few. First of all people might be surprised on why we brought in Ireland. You need to understand in the EU evidence regulation, there is an additional element that said any company outside of the European Union needs to designate one representative within the European Union to be the recipient of basically those requests that are going to be send by law enforcement. The hypothesis because a lot of the external American companies are located with subsidiaries in Ireland, this is where it is going to be like it was in the implementation of the GDPR.
What is fascinating and goes to the question raised earlier, what is fascinating is for whatever reason the representative of the company is moving to another place, it can be Slovenia or Cyprus, suddenly Cyprus or Slovenia are the countries that are the executing country and there is a burden of change because one company may have changed their representative.
It is a very, very difficult solution. There are a lot of people from the German Ministry of Justice have said that this is not a scalable solution.
I wanted to highlight why we're talking about Ireland. It is the question of the representative.
Second thing, quickly, the mutual legal assistance system we have a tendency to have and it is broken. It is not that it is broken. It is that it is not scalable to the volume we're talking about. It is problematic in my view, regarding the position of having followed the lays of a country that has nothing to do with the case.
It is funny, I was about to basically mention, Greg, before he asked the question because he's been also very vocal in many environments, including the work we have been doing together for 30 years by saying the MLAT system has a problem of course of scalability, but at the same time, the obligation of a particular strength in the U.S. system, which is a notion of probable cause which is a high standard for obtaining a warrant et cetera. Was basically protecting people around the world. Little bit like a First Amendment, in the freedom of expression around the world.
There is indeed a tension. One of the big challenges is how can we make sure the regimes developed provide protection that is sufficient. It may not be the one exactly that the U.S. imposes, but sufficiently close in the group that we gathered several years. I put the link in the chat. There were some formulations regarding an intermediary element. The final point ‑‑
>> MODERATOR: Can we hold the final point, Bertrand. Sorry to cut across you. You mentioned Greg. He's been made a co‑host, we can hear from him and join this mini debate. And I want to come to Aisling Kelly about the role of Ireland, if I may. Let's hear from you Greg, then we'll go to Aisling Kelly. Thank you. Then we'll come back to you Bertrand for the final point.
>> Greg: Per Ireland. There will be a million shoots for poor Ireland. They won't care about whether the ball goes into the net. Their nationals are not involved and they get notice. That notice will go in the circular file, a waste basket. I don't understand at all. In the MLAT, the requested country has an interest. Usually the data pertains is in that country or national of that country.
But now, this takes away that country's ability to put a check on the overbroad or mistaken or simply abusive data request from the country that is making the request. I don't understand how they ended up there. Theodore, if you can help me understand that I would really appreciate it.
>> MODERATOR: Thank you very much, Greg. It is a great point about you know where the urgency lies, really. Because I think coming to this from outside, you think this is an urgent debate that ought to be solved. It if it is not urgent for all the parties, different senses of steak. I was interested Aisling Kelly in your view of this idea, the role of Ireland or EU Member States are finding themselves prominent, and what the practical implications are.
I don't want to be too down in the weeds about MLAT, if we take the idea of well, if it takes so long, the justice delayed is justice denied surely. The fact it isn't scalable is a problem.
If we take it as more general. Keen to hear your views. I will maybe give Marjorie a chance to come in and Theodore and encourage participants to raise their hand or let Yasmin know if you want to join the debate. Aisling Kelly, the floor is yours.
>> Aisling Kelly: I'm stuck between a hard place and a rock. I am a nationalist to Ireland. I want to answer in an objective way. It makes sense that the country of nationality of data subject is the country with the most to lose if the citizen's rights are being infringed. The country in which the multinational happens to have the main establishment for EU purposes has less skin in the game. I think that is objectively true. I suppose the optimist hopes that Ireland takes the responsibility seriously and staffs the Department of Justice unit, which will be responsible for the notifications appropriately.
I think other EU Member States have a role in holding the other countries to account. If they believe, as does the Commission if they believe the obligations are not looked after properly, they would be litigated or enforcement proceedings.
The mutual trust Theodore spoke about early on. That exists in the EU system of the arrest warrant. There has to be being mutual trust and affordability and follow on if not recognized.
>> MODERATOR: Marjorie, did you want to raise another point.
>> Marjorie Buchser: Not really, I really appreciate the expertise and probably because I'm playing catch up with the sun, which is quite unusual.
>> MODERATOR: Looking very mystery out.
>> Marjorie Buchser: Trying to improve that, but it is being difficult. It is less specifically on the point ever the legal regime of the Ireland role, a reflection of the discussion, as you can tell, it is European and western. That is a very important point and something I would like to have the audience participate on, potentially. Clearly, liberal democracy are not aligned on this and struggle to find common language and principle, the fact is criminal investigation, legitimate one can happen anywhere. There is questions about sharing data with countries that are slightly less democratic or where the trust is even harder to build. What type of principle some discussion can be had. That is an area I would like the panel and audience to reflect on.
>> MODERATOR: Thank you. That is a great point. Something that I think I wanted to come to as well. Who isn't part of the conversation? Clearly, you see the difficulties in reaching any kind of working agreement between close analyzed on paper that should be clearly with the rights, safeguard and rule of law, but likewise, countries outside of that club also have urgent need to solve crimes, combat terrorism and public safety threats. How do we extend the conversation? When is the right time? Will we do this forever?
Theodore thank you for waiting to take the floor. You had several questions posed to you. Maybe you can take on the theme Marjorie raised about the countries and stakeholders not yet in the conversation.
>> Theodore Christakis: I was watching because Greg posted another. I will respond to the first issue where Bertrand has already started to give elements of response. I entirely agree with Greg and I think that we all agree on this. In the example we gave, Poland, for instance, wants to request the data of a Germany person in Berlin of a resident in Germany, that it is weird. Germany has an obligation to protect its citizens. It makes sense to send the notification to the country of residence. Instead of sending to our land who has no interest in intervening, simply because this is where Google has its legal representatives. This could change.
To be frank, there are good argument it is, which are simply said, in the compromise found. Only two countries that are involved, which is the issuing country, Poland and country where the service provider is located, Ireland.
If you go to the country of resident, if you go from Poland to Germany, you have two countries. If the service provider in Ireland doesn't execute the order, you need to involve Ireland because this is what we call the executing stage. It can oblige data to give to Poland if Germany doesn't object.
If you involve three States, it is more complicated, in bureaucracy, more translations, et cetera. There is a simplicity argument. Human rights require efforts. And taking into consideration once again, let's not forget that as a matter of fact, if you systematically inform the other state, this is a communication. If you inform the other state when the person is issuing out of the state, accident this is seven% or 8% of cases, it can be handled from a bureaucratic view.
There was another argument that I never understood, gape the idea of sending notification to the resident is we're talking about the fact that service provider are mostly U.S.
And you have European providers. You have the national telecoms, you are proud of. Countries like France or Germany could never in their imagination would not accept for the national provider they would not be involved.
>> MODERATOR: Yeah.
>> Theodore Christakis: The idea was you necessarily need to send this to where the provider is located. Is it satisfactory from the point of view human rights.
I'm sorry to add this. It is very important.
>> MODERATOR: Very quickly.
>> Theodore Christakis: If you inform only the country of residence, Poland informs Germany. If they're in Poland how do you deal with the rule of law problems? No notifying. While in the compromise found, I think we adopted the Parliament’s approach. If Poland wants to target the Polish person, they need to notify Ireland. Otherwise I agree with Greg this is not satisfactory.
>> MODERATOR: Yeah, thank you. I feel like my brain is beginning to melt with the complexity of this. I can see Georgia wants to come in with a question. Very much encouraging anybody that is in the virtual room or real room, if you are on‑site, I will let Yasmin know you want the floor and she will raise her hand virtually in this room so we can see her. Thank you for that.
Particularly people from Civil Society, Global South, women we would like to hear from as part of this debate. Please do take the floor. I want to go to you Georgia Osborn with your question, thank you, the floor is yours.
>> Georgia Osborn: Thank you, I'm not sure if you can hear me. My question is to bring it to the granular level. I heard Bertrand talk about a lot of the issues are often around things like somebody is murdered. There is a real crime that effects real people.
I think sometimes with all of the legal debate the, we can get lost in what is actually at stake.
I'm speaking as a former law enforcement perspective as well. I would be interested to know Aisling Kelly's view in particular. How do we make this more accessible for the law enforcement officers and families that have to deal with the crimes in real terms to understand the complexities of this and make the direct requests easier so the harm does not really affect how ‑‑ we have to basically come together to fix this, so that people can get justice for real crimes.
So that is a clear question, but also I would be keen to hear from the Civil Society side around privacy as well.
Aisling Kelly, I'm not sure if you can maybe answer that question, but also Bertrand and anyone that would like to intervene, thank you.
>> MODERATOR: Thank you, Georgia, and for bringing us back to people and victims of crime. It is easy to lose that connection with the reality. Because it is a complex area. Aisling Kelly thank you for addressing Georgia's point.
>> Aisling Kelly: Yeah, it is heartbreaking dealing with victims' families. I had an organized crime prosecution where the only evidence was coming off phones and location data. That was the only way that the prosecution could actually get up off the ground. Without that there wouldn't have been a prosecution for that horrific murder. It is really important. Because what is happening ‑‑ I said in the opening remarks, there is continued lawlessness. If we don't address the problems, you know, you won't get prosecutions arising out of real life tragic incidents.
I think like anything in real life day‑to‑day law enforcement, it requires investment in training people. Some countries have more ability to do that, than others. Prosecutors having an understanding and thirst for this as well. As time moves on ‑‑ we're really early in the period of cross‑border data sharing. I was casting my mind back to the first smartphone I saw in 2007. I thought it would never catch on. How wrong was I?
It is early days in the smartphone kind of explosion. I think the ‑‑ it may take multiple tragic instances where there are no prosecutions arising out of it for there to be a ground swell within each country to actually push the politicians to buy in to legislate for it. I think that would be my answer to that remark. I really welcome it, thanks, Georgia.
>> MODERATOR: Thank you. Bertrand, did you want to comment on this? You had your hand raised before. So maybe we can hear the point you wanted to make the last time as well.
>> Bertrand de La Chapelle: There is a combination. I agree with Aisling Kelly. The fact we're relatively early in this is true. I would say that having followed those issues for basically about 10 years now ... there is a real evolution in the discussions around the Cloud Act, around the additional protocol for the Budapest Convention and electronic evidence have put the issues on the table. The discussion we had whether a country is represented and the representative is the right to oversee a number of things.
Nobody had that in mind when the first proposal by the commission was put on the table. And it is in back and forth with the Parliament that produced a complex system that was reproducing the MLAT system, in what was supposed to be a direct request mechanism.
We all, understanding the different dimensions. I want to give two examples. In that regard it is the indication of involving other actors, it is an important question.
The one concrete element is on the question of the types of data, we had a strong discussion within the groups that we organize. We discovered an interesting fact. Subscriber information used to be who has the email address or telephone number. If you ask for subscriber information on a website or application that is basically dedicated to a specific category of people, regarding gender orientation or religious orientation, et cetera, your subscriber information is meaningful information that was absolutely not accessible before.
I will put in the chat a document that we produced to frame this question. Because as we get into extended reality, virtual reality, metaverse, FitBit, there is data that cannot be shoehorned easily into the three categories that Theodore mentioned, subscriber, metadata and content.
Finally, the second point I wanted to mention is the co‑lesson of the 10 years of discussions, the last five years in particular, regarding how can this scale? Because at the moment we have regimes that are entered on the U.S., regarding the so‑called Cloud Act that we won't discuss here but another architecture. The European e‑evidence regulation that is supposed to be finalized these days. And the protocol to the Budapest Convention. An enormous amount of countries with no regime. They're struggling with something that is very important for the overall structure of the Internet, which is that because they cannot solve this problem easily, they have a tendency to either adopt data localization laws or to go in another route, which is evenly more dangerous of absolute extraterritorial extension of the authority, by saying minus no legislation is sufficient.
Surprisingly it was a route taken early on ‑‑ not so much now ‑‑ by Belgium, where one prosecutor went three times to the Supreme Court in Belgium to obtain the authority on the basis of pure Belgium law of obtaining data I don't remember ‑‑ I don't remember. And Brazil is in the discussion around this. The case that whether it is sufficient to compel WhatsApp to provide the subscriber data to law enforcement.
Long story short ... one of the avenues forward is that when you look at the structure of the evidence regulation, you can think of it as a sort of software where you have basically one line that goes straight from when everything goes well. There is a properly formed request. By a perfectly responsible country that sends it to a company that is doing whatever is needs and provides the data, everything is fine.
You have a certain number of loops like in a software program, like if‑then, that says if the request is not complete, this is the loop that will work. If the request is really problematic does the company have the capacity or not to ring a bell and say I would like it to be reviewed by somebody else? If there is noncompliance by the company, what is the loop for enforcement? If you look at the infrastructure in the documents I put in chat, you can have a blueprint for responsibly developing in each country everything ‑‑ I know the cross‑border data, particularly (?) has worked intensely on the case of India for instance, on how to adapt national laws so we have an interoperable system and not necessarily global framework. We have not each mentioned the discussions in the U.N. about the convention.
The scalable system with proper structure inspired by the discussions over the last five years will probably be the way forward.
>> MODERATOR: Thank you. We have given the legal situation, the policy situation quite a good airing here.
I would like to shift gears if I may while encouraging and renewing the invitation to people in the room, online and physically to participate in this conversation.
Isn't it true, Marjorie, Aisling Kelly that when there is policy chaos, there is still an urgency and people need to muddle through somehow. In that mess you start to innovate or see practices that are good enough in some situations. Marjorie in your research work or Aisling Kelly in your real world experience, can you lead us to examples of the stuff that evolved from the need to do something while everybody sorts themselves out? The good practices that can be an inspiration in taking this forward for practical solutions. Marjorie, should I turn to you first and give Aisling Kelly a go?
>> Marjorie Buchser: I mean, from where we stand, which is research project looking at multistakeholder, where I see the greatest advancement is putting people in a room, people that usually haven't met before and sort of practitioner, law enforcement practitioner, national security agent as well, with an individual with the grief about personal data and privacy and big companies. It is not always very comfortable. But nonetheless, I think that it became very apparent how useful it is.
So it does force into actions are very useful. And are becoming, I would say, more frequent.
The other aspect, which is not necessarily new, but which we see some great development in the spaces is negotiation of transparency and transparency report. Which again speaks more to this notion of engaging a broader audience. But at least on a voluntary basis, disclosing what type of data has been shared, how it has been shared, which countries, et cetera. This is a practice that started a little less than 10 years ago. I think most of the companies are developing this. Some Government as well. And I think that if we can have transparency on both sides, it also helps build trust about what kind of data is shared and how it is shared also globally.
>> MODERATOR: That's great. Aisling Kelly, I can see also that Yasmin is signaling there is a question from the room. Yasmin I will go to you after we heard from Aisling Kelly, thank you.
>> Aisling Kelly: Well, briefly, to say that I agree with Marjorie, transparency practices have been helpful in the absence of a proper international framework. I think, you know, companies dealing with the requests have an obligation to act responsibly. There is responsible corporate behavior that is a really important act. The people doing this work for large companies certainly are well experienced lawyers. And you have an ability to construct I suppose in the absence, again, of a proper international framework, what you would regard to be robust practices, which are capable of withstanding judicial oversight in a democratic rule of law situation. That is certainly the practice that I operate in. I always come to it in a point of view of what are our actions doing ‑‑ are our actions which we take today capable of retrospective justification in 10 years' time before a court.
If I can stand over that, I feel like I had a good day in work.
>> MODERATOR: Thanks for that Aisling Kelly. It comes down to resources as well, doesn't it? Because actually the companies, as you say, they are in a position where they have to be international in the way they look the things, right? Because of operating in so many countries and being on the receiving end of, you know, all of these extraterritorial laws that are often completely contradictory. There is a resource there. And often people like yourself who have come from Public Sector and Civil Society roles and can blend the experiences. As Marjorie said, it is the benefit of bringing together people that wouldn't normally speak to each other. This is an area where there can be a benefit from that.
Yasmin, can I turn to you now with a question from the floor? Thank you.
>> Sure, one hand raised from the lady over there. Thank you.
>> ATTENDEE: Thank you, everyone, for the panelists for the presentation. Could you please elaborate ‑‑
>> MODERATOR: Excuse me. Sorry to result interrupt you, would you let us know your name and affiliation.
>> ATTENDEE: I'm Katrina and I'm a member of the ISOC youth program.
>> MODERATOR: Welcome to the debate, Katrina.
>> ATTENDEE: Can you go more into the decentralized technologies and development of crypto currency and for example, cases of exchange platforms, bankruptcies, involving alleged fraud or fraudulent action, how are the cases approached? Thank you.
>> MODERATOR: Great. Thank you very much for the question. And a really important point in terms of emerging technologies, often in technology debate it is, to put it kindly, we're catching up with technology and not always on the front foot. A question there on, you know, how does the whole decentralized technologies, crypto currencies, so on.
I can see Theodore wants to comment on this. And others, if this is part of your work, please help address Katrina's question.
>> Theodore Christakis: I will let others consider crypto currency. With the problem with encryption, in the evidence, if I remember well, in the Cloud, it is stated that there is no obligation to decrypt the data. So if a service provider for instance, I see Aisling Kelly agrees. You will send them with wishing good luck to the law enforcement authority.
>> MODERATOR: Thank you very much. Aisling Kelly, all of the decentralized technologies, crypto currency impinging on your working life.
>> Aisling Kelly: From the law enforcement agencies, I don't assist them. But in Microsoft we have crypto investigators and I know there are those that do training on the crypto. It is hard enough to get information from banks, let alone a decentralized finance structure. You need specialized skills to do that. If I can think of the name of companies that offer that training, I will put it in the chat.
>> MODERATOR: I think that is useful. Making progress comes down to the practical steps like training, resources, staffing. Marjorie and Bertrand, likewise.
>> Marjorie Buchser: Briefly. It is a brilliant question that speaks to two key problems. The first one is what we describe as the pacing problem. The legal framework is slow. And we're battling with that issue. But obviously, you know, new form of data and sort of decentralized system is not yet always well represented in the discussion we're having. That is not only on data. If you look at the digital service act in the EU, it will be hard to include that type of decentralized model. It is the first one.
The second point is that it is almost ironic that actually big companies instead of decentralized systems causing monopoly. It is easier to request data from them because they have lots of structure and system to help you do that. If you have a lot of small companies, it is much harder because then you have even more actors to interact with. So actually, the decentralization, and proliferation of factors is a problem also in that context.
>> MODERATOR: Thank you. That brings in an acknowledgment of the question that Georgia posted in the chat as well. You know, what about the smaller companies. Maybe I can sort of pose that to you Bertrand as the wider question. If we can extract from Katrina's question.
Like who isn't involved in the conversation? Who would benefit ‑‑ who would the conversation benefit from them being in the conversation, if you like to make progress on these issues? I know when things are hard, you want to kind of keep it small, because you will never feel like you will never make progress. But at some point it has to be more open than it is now, right?
>> Bertrand de La Chapelle: A few things, the first thing about crypto and decentralized technology, there is an investigation, like into misbehavior in crypto, like we see in the press all the time. There is the traditional mode of communication that people may be using, can be email, but increasingly encrypted as Theodore was mentioning. And then there are the technologies themselves. Like who are the operators of the crypto currencies themselves or the exchange places? The marketplaces. These are new actors and there will be a question of how dot regulations ‑‑ do the regulations adopted now, how do they apply and how much do they apply to the new actors? Apart from the diversity or size, there is also the kind of jurisdictions that are involved. Because FT access is heavily connected with Bahamas. I'm sorry, we thought we had a problem dealing with United States and major big companies? But the problem is already much simpler this way than dealing with a relatively ethereal ‑‑ no pun intended ‑‑ structure that is based in one particular small country.
So it is not going to be simpler. But I think it is important to understand that the regulations that we're adopting right now, even the e‑evidence regulation will only be fully enforced and implemented in two years or two and a half years, after the formal adoption. So when in the two years, the technology will have evolved and new services and new types of data, what about the metaverse, et cetera, it will be interesting.
>> MODERATOR: Yeah.
>> Bertrand de La Chapelle: The point to finish with, going to the smaller companies, without naming names, people don't necessarily understand the absence of the clear framework and choice of either MLAT or nothing is actually leading to less protections. Because there are alternative modes. And those alternative modes are lacking in many regards. Data localization. Or voluntary disclosure, and here you're into the competence of the smaller platforms. Because the smaller actors don't know where their obligations lie.
I have participated without naming names in a seminar where basically a number of small actors because they want to do good, are actually communicating on voluntary disclosure much more than what they should be communicated according to the law. We need the regulatory framework so we have the due process and access.
The point about the platforms is one of the most important ones because we're dealing with scale. We need to have platforms to channel those requests from public authorities to private actors. The problem is every country is developing their own submission tools. Most of the large platforms are developing their own portals. This is not about the one single system. It is about dealing with what we have labeled as the interoperability of the tools for submitting requests.
>> MODERATOR: Thank you.
>> Bertrand de La Chapelle: That needs to be something we are actually beginning to facilitate.
>> MODERATOR: It is a really important point you raise. Both in the context of smaller companies, but also the protections and safeguards, if you are falling back on voluntary processes and trusting ones, then those safeguards might well not be there.
And talking of another area in which, you know, so paradoxical, I don't think there has ever been more data available about people publicly. People are very comfortable with sharing their innermost secrets and brings you probably wouldn't want your mother to know about in a public way.
It seems like the sharing of data in the formal complex for public safety is more and more difficult. Is it because we are stuck in a mental model where actually we have to go through our old analog processes and actually question should be raising the profile of open source intelligence as a way of getting the evidence we need? What would be wrong with that? I don't know if any of the panel want to respond to that? Or maybe anybody in the room that would like to comment on that?
>> Aisling Kelly: It is a complicated issue. I have looked the organizations doing open source. It is amazing what is out there. The question is you are actually unintentionally involved because of the data breaches on the Dark Web. They have to have regard to. Open source is definitely necessary for lots of things. And you may not have to trespass into illegality but it does operate in the world where it is highly regulated and on the Dark Web the dump of data breaches.
>> MODERATOR: It doesn't need to be illicitly taken. Their friends, networks, so much metadata about people, that in the past you would need to question people for months before you found out after looking at an average social media profile.
>> Aisling Kelly: It is how most people date these days.
>> MODERATOR: You have a question from the floor. The floor is yours.
>> Not so much a question, but a response to your question about using open source information versus that obtained through legal process.
I want to make the comment, yes absolutely a great deal of use and utility in obtaining open source information doing research of your own online. However, sometimes people lie on the Internet too, the ability to actually have an authoritative source of the information you obtain is of critical experience when you need to go before the Court and jury and to seek beyond a reasonable doubt that it is credible.
>> MODERATOR: Yes. A silent lesson for, sometimes people don't tell you the truth. The famous cartoon of two dogs with the computer. It says on the Internet, no one knows you are a dog.
>> Bertrand de La Chapelle: Now you know what you ate yesterday.
>> MODERATOR: Exactly. We have just five minutes left. Can I give the panel a find word? Can we look for a word and engage our optimism part of our character to think about the progress we have made. You know, either think about the last 12 months or so, the progress that has been made. And you know, where you feel that there is really low‑hanging fruit where progress could be made, as we go forward.
Can I start with you Marjorie?
>> Marjorie Buchser: Yes, you may, thank you, Emily. I would like to ponder for a second about the road traveled. If I think at this point, we are reaching the function that are crucial to national sovereignty, public safety, national security, et cetera. It means this discussion about the impact of digital technology they're transnational and changing the nature of sovereignty is going throughout the different function of Government has evolved tremendously as a debate. I think that is to say the transformation and transformation of sovereignty is definitely a discussion we are hearing today.
The point of you know hope, again, just to go back on transparency, I think that there is an effort to, you know, more broadly publish what is happening. At an aggregate level. This is it an effort to salute and promote. We have discussed about oversight. If you can have an individual trust mechanism and the process in the individual trust mechanism. And providing independent oversight, in the democratic countries or context. Provide some trust about, you know, the check and balances that are put in place to make sure that we support the legitimate criminal investigation and limit the abuse of data collection.
>> MODERATOR: Thank you very much. Theodore, the optimism part of you. Where do you feel progress has been made and we can make more progress?
>> Theodore Christakis: Quickly, I don't necessarily have an optimistic view about this, but I think it is important to get the U.N. cybercrime negotiations right in the way of human rights. I will move to the optimistic part, Emily as you requested to end on a positive note. e‑evidence will be adopted. There were improvements. It is not perfect, but it opens the way for something extremely important, which is to negotiate an EU‑US‑Cloud document. There you really need to get it right. I think the two parties have not understand what is the major importance of this agreement.
And how important it is for Cloud providers all over Europe and the United States, for companies, how important it is in order to resolve the conflicts that we will have after the adoption of the e‑evidence. This is something extremely important.
I would bet my optimism there. This is very challenging. We are all ‑‑ I think I put in the chat about it. It is extremely important. If they get it right, this can become a model for other countries.
>> MODERATOR: Thank you very much. Bertrand, 30 seconds on what you are feeling happy about.
>> Bertrand de La Chapelle: First of all, the discussion today was useful. It shows 2023 is the time to take stock on this issue. We have a tag line that is basically, we need to talk about electronic evidence and make it more understood by Cloud actors, the UK made the agreement, Canada is having a discussion. Australia is. There is a model, there is evidence, regulation and as Theodore said, there is a need for discussion with U.S. and Budapest electronic additional protocol and U.N. discussion. It is time to sit down and draw the lessons of the last years.
The second thing is there are two tracts that make me optimistic that need to be addressed. One is the interoperability of norms. How do we scale up and build on the building blocks that exist in the evidence to have national legislations that are robust. And second, how to improve our understanding of the interoperability of tools.
>> MODERATOR: Thank you. 30 seconds from you Aisling Kelly.
>> Aisling Kelly: This is the year we had the first multilateral instrument on access to cross‑border data with the second edition protocol to the Budapest Convention. That gives great cause for optimism. I encourage every country that is a member of the Council of Europe to sign up to the parent Budapest Convention on the second edition of protocol.
As Bertrand is saying, talk to people, colleagues, journalists in your life, Civil Society actors, people need to know about this. I bore people to tears sometimes who work in law enforcement trying to explain to them why this is important.
So we do need to ‑‑ everyone has a sphere of influence of at least 10 to 20 people they can reach out to after today. Do you know about this issue? Maybe we should think about it and what our response will be.
>> MODERATOR: Thank you. That is a great call to action to all of us. All of us can translate this issue into terms that are meaningful for ourselves and networks and also remembering the victims of crime as well.
I need to close the session now with a huge thank you to our panelists that shared their incredible expertise so generously. Thank you to the people that participated in the room and online with your questions and your engagement. And also big thanks to the session organizers at Chatham House, and Oxford Information Labs and those that have done so much behind the scenes and Yasmin in the room to make sure this session happened. Thank you very much, everybody. I'll close the session.