19
Digital evidence in Digital evidence in criminal proceedings: criminal proceedings: legal considerations legal considerations Arkadiusz Lach Arkadiusz Lach Department of Criminal Department of Criminal Procedure Procedure Faculty of Law Faculty of Law University of Nicolaus University of Nicolaus Copernicus in Torun Copernicus in Torun

Digital evidence in criminal proceedings: legal considerations Arkadiusz Lach Department of Criminal Procedure Faculty of Law University of Nicolaus Copernicus

Embed Size (px)

Citation preview

Page 1: Digital evidence in criminal proceedings: legal considerations Arkadiusz Lach Department of Criminal Procedure Faculty of Law University of Nicolaus Copernicus

Digital evidence in criminal Digital evidence in criminal proceedings: legal considerationsproceedings: legal considerations

Arkadiusz LachArkadiusz Lach

Department of Criminal ProcedureDepartment of Criminal Procedure

Faculty of LawFaculty of Law

University of Nicolaus Copernicus in University of Nicolaus Copernicus in TorunTorun

Page 2: Digital evidence in criminal proceedings: legal considerations Arkadiusz Lach Department of Criminal Procedure Faculty of Law University of Nicolaus Copernicus

TerminologyTerminology

Evidence in an electronic form is called Evidence in an electronic form is called computer evidence, electronic evidence, computer evidence, electronic evidence, digital evidence, IT evidence, electronic digital evidence, IT evidence, electronic traces, etc.traces, etc.

IOCE definition of digital evidence: IOCE definition of digital evidence: information stored or transmitted in binary information stored or transmitted in binary form that may be relied upon in courtform that may be relied upon in court

Electronic evidence is the most neutral Electronic evidence is the most neutral name name

Page 3: Digital evidence in criminal proceedings: legal considerations Arkadiusz Lach Department of Criminal Procedure Faculty of Law University of Nicolaus Copernicus

Classification (ex.)Classification (ex.)

Evidence collected in real time and Evidence collected in real time and collected while stored: some problems may collected while stored: some problems may arise how to classify certain forms of arise how to classify certain forms of evidence, ex. e-mailevidence, ex. e-mail

Documentary evidence and real evidenceDocumentary evidence and real evidence Substantive evidence (independent, ex. Substantive evidence (independent, ex.

electronic documents) and demonstrative electronic documents) and demonstrative evidence (ex. computer animations)evidence (ex. computer animations)

Page 4: Digital evidence in criminal proceedings: legal considerations Arkadiusz Lach Department of Criminal Procedure Faculty of Law University of Nicolaus Copernicus

Main legal problems connected Main legal problems connected with electronic evidencewith electronic evidence

Interception of communicationInterception of communication Collecting traffic data in real timeCollecting traffic data in real time Extended searchExtended search Power to copy, retire, make inaccessible electronic Power to copy, retire, make inaccessible electronic

datadata Data preservationData preservation Data retentionData retention CryptographyCryptography Gathering electronic evidence by private persons, Gathering electronic evidence by private persons,

especially employersespecially employers

Page 5: Digital evidence in criminal proceedings: legal considerations Arkadiusz Lach Department of Criminal Procedure Faculty of Law University of Nicolaus Copernicus

Interception of communicationInterception of communication

Range of interception: how far should it be Range of interception: how far should it be allowedallowed

Subsidiary clause (ex. art. 19 Police Act Subsidiary clause (ex. art. 19 Police Act 1990 in Poland)1990 in Poland)

Regulations on interception must be clear Regulations on interception must be clear and precise to meet requirements of art. 8 and precise to meet requirements of art. 8 ECHRECHR

Evidence or only information? Evidence or only information?

Page 6: Digital evidence in criminal proceedings: legal considerations Arkadiusz Lach Department of Criminal Procedure Faculty of Law University of Nicolaus Copernicus

Real-time collection of traffic Real-time collection of traffic datadata

Traffic data: art. 1d of the Convention on Traffic data: art. 1d of the Convention on Cybercrime: the origin of communication, its Cybercrime: the origin of communication, its destination, route, time, date, size, duration, type of destination, route, time, date, size, duration, type of underlying service (auxiliary to the communication underlying service (auxiliary to the communication itself)itself)

The difference between traffic data and content data The difference between traffic data and content data in e-communication is decreasing, ex. in e-communication is decreasing, ex. http://www.google.com/search?hl=en&ie=ISO-8859-http://www.google.com/search?hl=en&ie=ISO-8859-1&q=sex+kids&btnG=Google+Search1&q=sex+kids&btnG=Google+Search

Despite the fact that real time collection of traffic data Despite the fact that real time collection of traffic data is generally less intrusive than interception of content is generally less intrusive than interception of content there should be an independent control over it there should be an independent control over it (ECtHR: Malone) (ECtHR: Malone)

Page 7: Digital evidence in criminal proceedings: legal considerations Arkadiusz Lach Department of Criminal Procedure Faculty of Law University of Nicolaus Copernicus

Extended searchExtended search

Two possibilities:Two possibilities: Police conducting a lawful search is allowed to search Police conducting a lawful search is allowed to search

another system when there are reasonable grounds to another system when there are reasonable grounds to believe that relevant data will be found on the another believe that relevant data will be found on the another systemsystem

Judge may specifically authorise by warrant a search of Judge may specifically authorise by warrant a search of a computer or dataa computer or data

Traditional way is a simultanious search of computer Traditional way is a simultanious search of computer systems (ex. Operation Cathedral-fighting child systems (ex. Operation Cathedral-fighting child pornography)pornography)

Extended search should be limited to the territory of Extended search should be limited to the territory of executing country to avoid sovereignity infringementsexecuting country to avoid sovereignity infringements

Page 8: Digital evidence in criminal proceedings: legal considerations Arkadiusz Lach Department of Criminal Procedure Faculty of Law University of Nicolaus Copernicus

Power to remove, render Power to remove, render inaccesible, copy electronic datainaccesible, copy electronic data

„„seizure” traditionally relates to data with a seizure” traditionally relates to data with a physical carrierphysical carrier

„„removal”means seizing data without destroying it removal”means seizing data without destroying it „„rendering inaccessible”-ex. encrypting data when rendering inaccessible”-ex. encrypting data when

harmful (child pornography, viruses)harmful (child pornography, viruses) Copies could be make by police not to deprive the Copies could be make by police not to deprive the

person serched of data or in some circumstances person serched of data or in some circumstances by the person searched when it is relevant and by the person searched when it is relevant and important to businessimportant to business

Page 9: Digital evidence in criminal proceedings: legal considerations Arkadiusz Lach Department of Criminal Procedure Faculty of Law University of Nicolaus Copernicus

Data preservationData preservation

Preservation orders („freezing orders”) Preservation orders („freezing orders”) oblige holder of certain data to maintain its oblige holder of certain data to maintain its integrity until more formal steps are taken, integrity until more formal steps are taken, ex. production order is issued by a judgeex. production order is issued by a judge

To react quickly and effectively police To react quickly and effectively police should be allowed to issue such ordersshould be allowed to issue such orders

Art. 16 i 17 CyberConvention: preservation Art. 16 i 17 CyberConvention: preservation traffic data and other kinds of data up to 90 traffic data and other kinds of data up to 90 days with the possibility of prolongationdays with the possibility of prolongation

Page 10: Digital evidence in criminal proceedings: legal considerations Arkadiusz Lach Department of Criminal Procedure Faculty of Law University of Nicolaus Copernicus

Data retentionData retention

It must be distinguished from data preservation-it is It must be distinguished from data preservation-it is storing of all traffic data „just in case”storing of all traffic data „just in case”

Art. 15 directive 2002/58/EC allows EU members Art. 15 directive 2002/58/EC allows EU members retention for a limited period retention for a limited period

Basic problems: storage, retrieval, costs, privacy Basic problems: storage, retrieval, costs, privacy protection,protection,

Period of retention: should be standarised within EU and Period of retention: should be standarised within EU and meet the proportionality principle.meet the proportionality principle.

In Belgium the period is 12 months, in UK it is In Belgium the period is 12 months, in UK it is proposed to set different periods for different types of proposed to set different periods for different types of data (ex. 12 m. for phone metering, 6 m. for e-mail, data (ex. 12 m. for phone metering, 6 m. for e-mail, SMS and EMS data, 4 days for proxy servers logs)SMS and EMS data, 4 days for proxy servers logs)

Page 11: Digital evidence in criminal proceedings: legal considerations Arkadiusz Lach Department of Criminal Procedure Faculty of Law University of Nicolaus Copernicus

CryptographyCryptography

More and more communication become encryptedMore and more communication become encrypted Law enforcement agencies are not able to break Law enforcement agencies are not able to break

every cryptographic protectionevery cryptographic protection Communication service providers can be obliged Communication service providers can be obliged

in certain circumstances to decrypte certain files in certain circumstances to decrypte certain files when they use cryptography but not to break when they use cryptography but not to break cryptographic protection applied by otherscryptographic protection applied by others

Key escrow and key recovery proposalsKey escrow and key recovery proposals

Page 12: Digital evidence in criminal proceedings: legal considerations Arkadiusz Lach Department of Criminal Procedure Faculty of Law University of Nicolaus Copernicus

Gathering electronic evidence by Gathering electronic evidence by private persons, esp. employersprivate persons, esp. employers

In some situations private persons (esp. victims) In some situations private persons (esp. victims) must be allowed to gather or preserve electronic must be allowed to gather or preserve electronic tracestraces

Under certain conditions the traces should be Under certain conditions the traces should be admissible in the criminal proceedingsadmissible in the criminal proceedings

In some countries employers are permitted to have In some countries employers are permitted to have access to employees communications, efforts access to employees communications, efforts should be taken to inform about the control all should be taken to inform about the control all persons which can use the telecommunication persons which can use the telecommunication system, listed situationssystem, listed situations

Page 13: Digital evidence in criminal proceedings: legal considerations Arkadiusz Lach Department of Criminal Procedure Faculty of Law University of Nicolaus Copernicus

The role of an expertThe role of an expert

Experts would be needed to gather electronic data Experts would be needed to gather electronic data and assess itand assess it

Experts should be certificatedExperts should be certificated There must be a code of practice for dealing with There must be a code of practice for dealing with

electronic evidence, ex. IOCE standardselectronic evidence, ex. IOCE standards In more complicated cases complex opinion may In more complicated cases complex opinion may

be neededbe needed Does the principle of free estimation of evidence Does the principle of free estimation of evidence

still apply in cases with electronic evidence?still apply in cases with electronic evidence? Private opinionsPrivate opinions

Page 14: Digital evidence in criminal proceedings: legal considerations Arkadiusz Lach Department of Criminal Procedure Faculty of Law University of Nicolaus Copernicus

Main differences between Main differences between common law and civil law common law and civil law

countriescountries Legal theory of evidence versus free Legal theory of evidence versus free

estimation of evidenceestimation of evidence Authentification as a condition of Authentification as a condition of

admissibility in some common law admissibility in some common law countriescountries

Hearsay rule in the context of documentsHearsay rule in the context of documents Corroboration ruleCorroboration rule

Page 15: Digital evidence in criminal proceedings: legal considerations Arkadiusz Lach Department of Criminal Procedure Faculty of Law University of Nicolaus Copernicus

Polish regulations in CCPPolish regulations in CCP

Art. 218 CCP– collection of traffic data (in real Art. 218 CCP– collection of traffic data (in real time or stored), order is issued by a judge or public time or stored), order is issued by a judge or public prosecutor, under Police Act also by the policeprosecutor, under Police Act also by the police

Art. 218b CCP-data preservation (judge or public Art. 218b CCP-data preservation (judge or public prosecutor) not by the policeprosecutor) not by the police

Art. 236a CCP – regulations concerning search and Art. 236a CCP – regulations concerning search and seizure are to be applied seizure are to be applied accordinglyaccordingly to electronic to electronic data –problem of interpretationdata –problem of interpretation

Art. 237 and 242 CCP – interception of Art. 237 and 242 CCP – interception of communication is allowed only in relation to listed communication is allowed only in relation to listed crimes, typical computer crimes are not enumeratedcrimes, typical computer crimes are not enumerated

Page 16: Digital evidence in criminal proceedings: legal considerations Arkadiusz Lach Department of Criminal Procedure Faculty of Law University of Nicolaus Copernicus

Presentation of electronic Presentation of electronic evidenceevidence

The principle of immediacy (best evidence) The principle of immediacy (best evidence) requires to present „original evidence” if possiblerequires to present „original evidence” if possible

In the case of electronic data the concept of In the case of electronic data the concept of „original” and „copy” is with a little significance„original” and „copy” is with a little significance

There are some tools to present evidence in an There are some tools to present evidence in an electronic form, ex. DEPS (Digital Evidence electronic form, ex. DEPS (Digital Evidence Presentation System)Presentation System)

The vision of cybercourtThe vision of cybercourt

Page 17: Digital evidence in criminal proceedings: legal considerations Arkadiusz Lach Department of Criminal Procedure Faculty of Law University of Nicolaus Copernicus

ConclusionsConclusions

Electronic traces have to be treated as Electronic traces have to be treated as evidence, not only informationevidence, not only information

Technical procedures of handling electronic Technical procedures of handling electronic evidence shall be obeyedevidence shall be obeyed

Human rights must be strongly protected Human rights must be strongly protected during gathering of evidenceduring gathering of evidence

International cooperation and exchange of International cooperation and exchange of information is one of the basic tasks due to information is one of the basic tasks due to the international character of cybercrimethe international character of cybercrime

Page 18: Digital evidence in criminal proceedings: legal considerations Arkadiusz Lach Department of Criminal Procedure Faculty of Law University of Nicolaus Copernicus

Thank you for your attentionThank you for your attention

Page 19: Digital evidence in criminal proceedings: legal considerations Arkadiusz Lach Department of Criminal Procedure Faculty of Law University of Nicolaus Copernicus

Questions?Questions?