Digital forensics standards: Enforcement under the radar of EU plans for electronic evidence

In the ninth post in RENFORCE Blog’s special series on enforcement, Gavin Robinson argues that the extreme volatility of electronic data calls for EU law to promote not only efficient and secure access thereto for criminal investigators, but also robust standards of digital forensics. Currently, it is national laws and criminal justice systems which achieve varying levels of forensic soundness for digital evidence. Drawing on a comparative, multidisciplinary research project and sharing insight from legal practice in Luxembourg, the post advocates a stronger emphasis on the development of common European rules on digital forensics – potentially within dedicated EU legislation on the admissibility of evidence.

Data is not merely volatile

Paragraph 256 of the Explanatory Report to the Council of Europe Convention on Cybercrime (the ‘Budapest Convention’, from 2001) begins:

‘Computer data is highly volatile. By a few keystrokes or by operation of automatic programs, it may be deleted, rendering it impossible to trace a crime to its perpetrator or destroying critical proof of guilt. Some forms of computer data are stored for only short periods of time before being deleted. In other cases, significant harm to persons or property may take place if evidence is not gathered rapidly.’

Data is volatile, meaning in the first place that it can “move” extremely fast – and in any case far too fast for investigators to keep up. But data is also fragile, meaning that untrained handling of it can damage it, and in the worst cases it can be manipulated (anonymously) in order to occlude the truth or show a record of what did not in fact take place. Above all, perhaps, and despite appearances – data is not objective. It is always a representation of bits; a digitalised image of a handgun, however high-resolution it may be, is the visible result of underlying technical operations which convert the coded 1s and 0s into a picture which is comprehensible to us.

All of the above matters greatly to the quality of criminal investigations and of justice rendered through criminal proceedings, since any weak link in the “chain of custody” of digital evidence may fatally impact upon its integrity and reliability or “forensic soundness” – potentially leading to scrapped inquiries, discontinued prosecutions and silent, unprotected victims, unsafe convictions later to be quashed, or innocent individuals handed a prison sentence.

Between technical standards and capacity-building…

The most important technical standards in this burgeoning field are issued by the ISO and IEC (International Organization for Standardization, and International Electrotechnical Commission). In ISO/IEC 27043, digital investigations are defined as the “use of scientifically derived and proven methods towards the identification, collection, transportation, storage, analysis, interpretation, presentation, distribution, return, and/or destruction of digital evidence derived from digital sources, while (…) preserving digital evidence, and maintaining the chain of custody”.

Another set of standards, ISO/IEC 27037, defines the roles of the Digital Evidence First Responder (DEFR) who is trained to act at the incident scene, and Digital Evidence Specialist (DES) who is competent for a broader range of issues. On top of that international series, regional standards have also come from the Council of Europe (at least two guides), ENFSI and ENISA. At national level, leading examples include NIST (US) and ACPO (UK), whilst at EU level there are Guidelines on Digital Forensics Procedures for OLAF Staff.

The extent to which these various standards are borne out in laws and regulations and in practice in national criminal justice systems is understudied. But a recent comparative research project taking in five EU Member States (whose final volume is available open access) found that all have existing degrees of operational/organisational specialisation: generally, a dedicated IT forensics unit within law enforcement authorities. Whilst these generally provide expert analysis of seized data and devices (digital storage media, mobile phones, digital cameras and so on) – there persist questions around the readiness of frontline police officers as Digital Evidence First Responders.

Usually, the specialised units are composed of criminal police investigators who are trained in digital forensics; in this regard, the New Technologies Section of the Luxembourg police stands out for hiring “civil” IT experts from outside, who are then trained as police officers. This intermingling of expertise was approved by GENVAL (Council of Europe cybercrime) evaluators in 2017 for possible adoption at EU level. The framework for expert evidence in digital forensics was also examined, with Member States showing some commonalities but also distinct national flavours; in this case, the Netherlands Register of Court Experts (NRGD) was cited as an example to follow.

…and analogue legal systems

But the scope of the project also extended to what the ISO/IEC guidelines do not seek to cover: critically, anything to do with national legal rules, from powers of seizure to the admissibility and weighting of digital evidence at trial. Unsurprisingly, in light of the lengthy nature of most legislative processes, the studied criminal justice systems were often found to have sought to adapt by assimilating acts of digital investigation to offline acts.

In Luxembourg (on which I co-authored the national report), for instance, until the Budapest Convention was implemented in 2014 the seizure of data had been executed on the standard legal provisions in the Code of Criminal Procedure, which were of course initially designed for physical objects and documents – and indeed contained no reference at all to “data”. The reforms certainly brought several improvements (e.g. provisions on copying and deletion; “quick freeze” of data to ensure it still exists to be seized), but the Code still features no more than the bare bones of the kind of technical guidelines issued by ISO/IEC and comparable authorities.

Even in Luxembourg – a small jurisdiction, with a nimble legislator and low criminal case-rate – the research appeared to confirm an old truism: practice tends to race ahead of rule-making. Nonetheless, in this legal grey area of no tailored legislative (or indeed soft law) rules a reflexive development of ad hoc best practice has instead gradually emerged before the pretrial chambers of the criminal courts, where evidential matters are most often settled in (the more serious) criminal cases in the Luxembourg system. So it has been with regard to the approved procedure – “copy, filter, seize, erase” has become the rule-of-thumb – as well as tolerated proportionality limits for digital seizures, with several successful “fishing expedition” challenges mounted by defence lawyers concerning the sheer volume of data seized, temporal scope (if the alleged criminal activity took place in 2013, data from 2002 are unlikely to be required), and personal scope (two suspects, but a whole law firm’s files taken!).

For now, there are no plans afoot to introduce tailored national rules for digital forensics in criminal proceedings, meaning the case-by-case evaluation of digital investigations will continue as described, before the pretrial chambers, with the input of the defence. Although far from ideal, this is less alarming in a jurisdiction such as Luxembourg than it would be in many others for at least three reasons, which also serve as a reminder of the complex challenge of designing common European standards to fit into and refine heterogenous national criminal justice systems.

The first is that Luxembourg is a monist system, and the ECHR can be invoked directly in criminal proceedings in order to challenge the execution of digital investigative acts. The second is the low hurdle (compared to similar systems France and Belgium) for throwing out evidence as inadmissible. The third and perhaps strongest reason is that the judicial inquiry scenario (the mandatory path for more serious criminal offences, unlocking coercive investigative acts such as data seizures) is controlled by the investigating judge, who acts – by design and duty – impartially, for the “manifestation of the truth”.

The ongoing policy drive to ensure access to e-evidence…

Zooming out to the EU level, there has been no shortage of attention paid in recent years in policy, practitioner and academic debates to improving cross-border access to electronic evidence for criminal investigators. The ‘globalisation of criminal evidence’ is heralded, taking to unprecedented levels the strength of control of multinational tech giants (chiefly the ‘GAFAM’ companies) over the vast reams of data we produce as we go about our daily lives. That data is said to have already become the lifeblood of criminal investigations – however international or local the case, and however on- or offline the crime – ratcheting up the pressure on EU and Council of Europe (and many more) policy-makers to rethink classical Mutual Legal Assistance (MLA) procedures, deemed far too clunky to cope with the deluge, and to devise new models of so-called ‘direct cooperation’.

Direct cooperation, as envisioned in the Commission’s e-evidence package (its core measure being the ‘European Production Order’, EPO) means that private actors receive and execute (or, if they are able, opt to resist) orders for data in their control directly from investigators in a different Member State to that of their establishment or representation.

The plans (released back in 2018 but still to be finalised) have drawn much criticism, including from EU criminal law scholars – and from some quarters, stinging rebuke. Some open questions here are the future relationship between the EPO and the European Investigation Order (EIO), and the credibility of a judicial cooperation legal basis (Article 82(1) TFEU) for public-private orders: could this go beyond mutual recognition or even risk privatising mutual trust in the Area of Freedom, Security and Justice? There has also been detailed scrutiny of the place of EU data protection law in relation to both the EU reform and their inseparable American cousin, the CLOUD Act; in particular, the GDPR compliance of disclosure of data by EU service providers to US law enforcement – whether voluntary or ‘informal’ (as has become widespread) or compelled (as foreseen in the US legislation).

…leaves digital forensics under the radar

The high-profile focus on access to e-evidence shows little sign of abating, with the Council of Europe’s own 2^nd Additional Protocol to the Budapest Convention now coming to fruition, EU trilogues on e-evidence ongoing, and an agreement between the US and the EU set to be hammered out over the months (perhaps years) to come.

Yet none of the above developments say much at all about the technical side of gathering data (besides data security and authenticity of orders), let alone its subsequent use or analysis. The proposals also set much stock by the EU data protection acquis,whereas the completeness and effectiveness of all national implementations of the Data Protection Law Enforcement Directive is still to be carefully evaluated.

Meanwhile, in December 2020 the Commission proposed a Regulation on ‘e-CODEX’, but this software package (already piloted by several Member States, including for MLA requests and EIOs) offers an interoperable, secure and decentralised communication network between national IT systems, allowing users, such as judicial authorities, to send and receive documents, legal forms, and evidence. The proposal was flanked by a wide-ranging Communication titled “Digitalisation of justice in the European Union – A toolbox of opportunities”, but that too is absent any reference to the requirements of sound digital forensics operations.

Toward common European standards for digital forensics

In the concluding chapter of the collective volume cited earlier, Caianiello lays five foundation stones for the adoption of common European standards in antifraud administrative and criminal investigations. Paraphrased only lightly, these are:

• They should involve both administrative and criminal proceedings, given the cross-pollination between procedures which is commonplace both nationally and transnationally (so-called ‘diagonal cooperation’).
• They should aim for technological neutrality, so as to reduce the risk of early obsolescence.
• Legislation on e-evidence should bear a comprehensive vision of digital investigations and, in light of their potentially very high levels of intrusiveness into the personal sphere, ensure the highest level of protection according to the principles in the Treaties, the Charter, the ECHR and its case law.
• Judicial (or equivalent independent) control must be ensured both before and after collection of data.
• Legislation should secure for all parties – above all the defence – with complete traceability of the chain of custody.

There are already calls for the EU legislator to incorporate human rights standards in a new harmonising instrument on admissibility of evidence in criminal matters, for example in a dedicated Admissibility Directive. Indeed, unlike the shaky ground beneath the feet of direct cross-border public-private cooperation on e-evidence in Article 82(1) TFEU, there is an unequivocal legal basis for minimum standards on admissibility in Article 82(2)(a).

For the reasons sketched in this blogpost, if and when the Commission embarks upon this route it ought to bear in mind not only the ‘differences between the legal traditions and systems of the Member States’ as enshrined in Article 82(2)(a) TFEU, but also crucial differences between types of evidence and especially the unique properties of data. For data is indeed volatile, but this is not only a reason to ensure timely and reliable access thereto for criminal investigators. It also calls for strong, cohesive standards of forensic soundness and the effective empowerment of the digitalised criminal defence.