Embed Size (px)
Citation preview
Digital evidence in criminal Digital evidence in criminal proceedings: legal considerationsproceedings: legal considerations
Arkadiusz LachArkadiusz Lach
Department of Criminal ProcedureDepartment of Criminal Procedure
Faculty of LawFaculty of Law
University of Nicolaus Copernicus in University of Nicolaus Copernicus in TorunTorun
TerminologyTerminology
Evidence in an electronic form is called Evidence in an electronic form is called computer evidence, electronic evidence, computer evidence, electronic evidence, digital evidence, IT evidence, electronic digital evidence, IT evidence, electronic traces, etc.traces, etc.
IOCE definition of digital evidence: IOCE definition of digital evidence: information stored or transmitted in binary information stored or transmitted in binary form that may be relied upon in courtform that may be relied upon in court
Electronic evidence is the most neutral Electronic evidence is the most neutral name name
Classification (ex.)Classification (ex.)
Evidence collected in real time and Evidence collected in real time and collected while stored: some problems may collected while stored: some problems may arise how to classify certain forms of arise how to classify certain forms of evidence, ex. e-mailevidence, ex. e-mail
Documentary evidence and real evidenceDocumentary evidence and real evidence Substantive evidence (independent, ex. Substantive evidence (independent, ex.
electronic documents) and demonstrative electronic documents) and demonstrative evidence (ex. computer animations)evidence (ex. computer animations)
Main legal problems connected Main legal problems connected with electronic evidencewith electronic evidence
Interception of communicationInterception of communication Collecting traffic data in real timeCollecting traffic data in real time Extended searchExtended search Power to copy, retire, make inaccessible electronic Power to copy, retire, make inaccessible electronic
datadata Data preservationData preservation Data retentionData retention CryptographyCryptography Gathering electronic evidence by private persons, Gathering electronic evidence by private persons,
especially employersespecially employers
Interception of communicationInterception of communication
Range of interception: how far should it be Range of interception: how far should it be allowedallowed
Subsidiary clause (ex. art. 19 Police Act Subsidiary clause (ex. art. 19 Police Act 1990 in Poland)1990 in Poland)
Regulations on interception must be clear Regulations on interception must be clear and precise to meet requirements of art. 8 and precise to meet requirements of art. 8 ECHRECHR
Evidence or only information? Evidence or only information?
Real-time collection of traffic Real-time collection of traffic datadata
Traffic data: art. 1d of the Convention on Traffic data: art. 1d of the Convention on Cybercrime: the origin of communication, its Cybercrime: the origin of communication, its destination, route, time, date, size, duration, type of destination, route, time, date, size, duration, type of underlying service (auxiliary to the communication underlying service (auxiliary to the communication itself)itself)
The difference between traffic data and content data The difference between traffic data and content data in e-communication is decreasing, ex. in e-communication is decreasing, ex. http://www.google.com/search?hl=en&ie=ISO-8859-http://www.google.com/search?hl=en&ie=ISO-8859-1&q=sex+kids&btnG=Google+Search1&q=sex+kids&btnG=Google+Search
Despite the fact that real time collection of traffic data Despite the fact that real time collection of traffic data is generally less intrusive than interception of content is generally less intrusive than interception of content there should be an independent control over it there should be an independent control over it (ECtHR: Malone) (ECtHR: Malone)
Extended searchExtended search
Two possibilities:Two possibilities: Police conducting a lawful search is allowed to search Police conducting a lawful search is allowed to search
another system when there are reasonable grounds to another system when there are reasonable grounds to believe that relevant data will be found on the another believe that relevant data will be found on the another systemsystem
Judge may specifically authorise by warrant a search of Judge may specifically authorise by warrant a search of a computer or dataa computer or data
Traditional way is a simultanious search of computer Traditional way is a simultanious search of computer systems (ex. Operation Cathedral-fighting child systems (ex. Operation Cathedral-fighting child pornography)pornography)
Extended search should be limited to the territory of Extended search should be limited to the territory of executing country to avoid sovereignity infringementsexecuting country to avoid sovereignity infringements
Power to remove, render Power to remove, render inaccesible, copy electronic datainaccesible, copy electronic data
„„seizure” traditionally relates to data with a seizure” traditionally relates to data with a physical carrierphysical carrier
„„removal”means seizing data without destroying it removal”means seizing data without destroying it „„rendering inaccessible”-ex. encrypting data when rendering inaccessible”-ex. encrypting data when
harmful (child pornography, viruses)harmful (child pornography, viruses) Copies could be make by police not to deprive the Copies could be make by police not to deprive the
person serched of data or in some circumstances person serched of data or in some circumstances by the person searched when it is relevant and by the person searched when it is relevant and important to businessimportant to business
Data preservationData preservation
Preservation orders („freezing orders”) Preservation orders („freezing orders”) oblige holder of certain data to maintain its oblige holder of certain data to maintain its integrity until more formal steps are taken, integrity until more formal steps are taken, ex. production order is issued by a judgeex. production order is issued by a judge
To react quickly and effectively police To react quickly and effectively police should be allowed to issue such ordersshould be allowed to issue such orders
Art. 16 i 17 CyberConvention: preservation Art. 16 i 17 CyberConvention: preservation traffic data and other kinds of data up to 90 traffic data and other kinds of data up to 90 days with the possibility of prolongationdays with the possibility of prolongation
Data retentionData retention
It must be distinguished from data preservation-it is It must be distinguished from data preservation-it is storing of all traffic data „just in case”storing of all traffic data „just in case”
Art. 15 directive 2002/58/EC allows EU members Art. 15 directive 2002/58/EC allows EU members retention for a limited period retention for a limited period
Basic problems: storage, retrieval, costs, privacy Basic problems: storage, retrieval, costs, privacy protection,protection,
Period of retention: should be standarised within EU and Period of retention: should be standarised within EU and meet the proportionality principle.meet the proportionality principle.
In Belgium the period is 12 months, in UK it is In Belgium the period is 12 months, in UK it is proposed to set different periods for different types of proposed to set different periods for different types of data (ex. 12 m. for phone metering, 6 m. for e-mail, data (ex. 12 m. for phone metering, 6 m. for e-mail, SMS and EMS data, 4 days for proxy servers logs)SMS and EMS data, 4 days for proxy servers logs)
CryptographyCryptography
More and more communication become encryptedMore and more communication become encrypted Law enforcement agencies are not able to break Law enforcement agencies are not able to break
every cryptographic protectionevery cryptographic protection Communication service providers can be obliged Communication service providers can be obliged
in certain circumstances to decrypte certain files in certain circumstances to decrypte certain files when they use cryptography but not to break when they use cryptography but not to break cryptographic protection applied by otherscryptographic protection applied by others
Key escrow and key recovery proposalsKey escrow and key recovery proposals
Gathering electronic evidence by Gathering electronic evidence by private persons, esp. employersprivate persons, esp. employers
In some situations private persons (esp. victims) In some situations private persons (esp. victims) must be allowed to gather or preserve electronic must be allowed to gather or preserve electronic tracestraces
Under certain conditions the traces should be Under certain conditions the traces should be admissible in the criminal proceedingsadmissible in the criminal proceedings
In some countries employers are permitted to have In some countries employers are permitted to have access to employees communications, efforts access to employees communications, efforts should be taken to inform about the control all should be taken to inform about the control all persons which can use the telecommunication persons which can use the telecommunication system, listed situationssystem, listed situations
The role of an expertThe role of an expert
Experts would be needed to gather electronic data Experts would be needed to gather electronic data and assess itand assess it
Experts should be certificatedExperts should be certificated There must be a code of practice for dealing with There must be a code of practice for dealing with
electronic evidence, ex. IOCE standardselectronic evidence, ex. IOCE standards In more complicated cases complex opinion may In more complicated cases complex opinion may
be neededbe needed Does the principle of free estimation of evidence Does the principle of free estimation of evidence
still apply in cases with electronic evidence?still apply in cases with electronic evidence? Private opinionsPrivate opinions
Main differences between Main differences between common law and civil law common law and civil law
countriescountries Legal theory of evidence versus free Legal theory of evidence versus free
estimation of evidenceestimation of evidence Authentification as a condition of Authentification as a condition of
admissibility in some common law admissibility in some common law countriescountries
Hearsay rule in the context of documentsHearsay rule in the context of documents Corroboration ruleCorroboration rule
Polish regulations in CCPPolish regulations in CCP
Art. 218 CCP– collection of traffic data (in real Art. 218 CCP– collection of traffic data (in real time or stored), order is issued by a judge or public time or stored), order is issued by a judge or public prosecutor, under Police Act also by the policeprosecutor, under Police Act also by the police
Art. 218b CCP-data preservation (judge or public Art. 218b CCP-data preservation (judge or public prosecutor) not by the policeprosecutor) not by the police
Art. 236a CCP – regulations concerning search and Art. 236a CCP – regulations concerning search and seizure are to be applied seizure are to be applied accordinglyaccordingly to electronic to electronic data –problem of interpretationdata –problem of interpretation
Art. 237 and 242 CCP – interception of Art. 237 and 242 CCP – interception of communication is allowed only in relation to listed communication is allowed only in relation to listed crimes, typical computer crimes are not enumeratedcrimes, typical computer crimes are not enumerated
Presentation of electronic Presentation of electronic evidenceevidence
The principle of immediacy (best evidence) The principle of immediacy (best evidence) requires to present „original evidence” if possiblerequires to present „original evidence” if possible
In the case of electronic data the concept of In the case of electronic data the concept of „original” and „copy” is with a little significance„original” and „copy” is with a little significance
There are some tools to present evidence in an There are some tools to present evidence in an electronic form, ex. DEPS (Digital Evidence electronic form, ex. DEPS (Digital Evidence Presentation System)Presentation System)
The vision of cybercourtThe vision of cybercourt
ConclusionsConclusions
Electronic traces have to be treated as Electronic traces have to be treated as evidence, not only informationevidence, not only information
Technical procedures of handling electronic Technical procedures of handling electronic evidence shall be obeyedevidence shall be obeyed
Human rights must be strongly protected Human rights must be strongly protected during gathering of evidenceduring gathering of evidence
International cooperation and exchange of International cooperation and exchange of information is one of the basic tasks due to information is one of the basic tasks due to the international character of cybercrimethe international character of cybercrime
Thank you for your attentionThank you for your attention
Questions?Questions?
