>> MODERATOR: Good afternoon. I think we will get started. We are only one speaker short you but we have a great line‑up of speakers, so worst case we can afford to have one less.
Welcome to workshop number 149, crime and justice in cyberspace forwards solutions. I am Christian Borggreen with the CCA, and it is my pleasure to moderate this special with Alexandru next to my right will be speaking later.
Thank you to the online moderator from the University of Milan and he will gather comments. And you are encouraged in the room, but also those online to use the workshop, the twitter handle. #WS149, very good.
Evidence of crimes are increasingly available in the form of electronic evidence often stored in the cloud, which means often stored in a different country with a different set of laws.
This raises complex questions and challenges for law enforcement, companies and users.
In our workshop last year in Mexico we spoke at length and identified some of the serious challenges related to this lack of a procedure international framework. And some of the things we identified a significant delay for law enforcement so access data stored cross‑boarder. And hearing counsel in morning less than (?) Percent recorded in hearings. And it creates incentives for governments to take unilateral actions, for instance logging vacations or demanding data stored locally. At least it can maybe easily get access to the data. At least that's the incentive created.
Secondly, also create risk of conflicts of national laws for companies as illustrated in the case involving data stored by Microsoft. (?) But requested by a U.S. prosecutor, so under U.S. law which set of rules apply in this situation.
Fourthly, also societal costs. Brookings estimate the government shutdown of applications comes with a costs for society of more than $1 billion.
And finally, some of the human rights impact which hopefully will be explained in a little more detail in a moment.
Fast forward from last year's workshop focusing on intelligence, this workshop here will focus on the solutions, hence in the title, and I am delighted to have this very, very good line‑up of speakers from industry, governments, civil society, international organizations and something in between. A multi‑stakeholder committing factor, all of these different folks.
I would like to jump to our first speaker. We will have first brief introduction, remarks about four minutes, five minutes maximum. And I also have the hammer here. And we will do that quickly and then open up for debate into interactive session for people in the audience and people who participate remotely.
The very first speaker is Priscila Costa Schreiner, a prosecutor. And I might be a little provocative but my impression is Priscila taking maybe a more forceful approach to access electronic evidence. There have been some cases of a blocking of an app that impacts a hundred million users. And I don't know nothing about what is going on in Brazil, maybe explain better what is sort of the legal approach in Brazil? How do you try to improve this you as a federal prosecutor is faced with.
>> PRISCILA COSTA SCHREINER: Of course Christian, thank you, and thank you everyone. Good afternoon everyone. I can't start without taking how happy I am to be here to join all of you in this regional event.
I will talk during my speech about your concerns and of course after all I am available for questions even after our panel here.
I would like to take this opportunity to highlight two debates under development on the Brazilian Supreme Court regarding complying with the Brazilian legislation.
The case is so complex that our Supreme Court in June 2017 this year, a public hearing to develop a vigorous debate in a multi‑stakeholder environment to give our Supreme Court Judges to deal with two constitutional actions that discuss the constitutional validity of Article 12 of our Internet civil cites framework we call (?) Internet. That predicted the possibility of temporary suspicion and corruption of the user's data collection activities, provisions on the Article 11 of this Internet.
And this work, the many issues discussed, but also there was a side debate on cryptography. And I send a message, the federal prosecutors in Brazil are not against cryptography. We rely on it to carry on our day‑to‑day job.
As provisions in our Internet civil rights framework, I want to emphasize that the Brazilian federal prosecution under this extreme measure should be considered only as a last resort, and with extreme caution. We should exhaust not to just affect users, but knows not complying with Brazilian legislation and want to remove themselves from our jurisdiction and severity.
And one of the constitutional actions I put in the lights there, one of the constitutional actions, 5527, was sent to our general prosecution. And the other one for 03, with a Supreme Court judge for (?)
The other one I mention in this light, the declaratory action number 51, proposed just in December 15 before our Supreme Court by the Assestro. That is to federation office of Brazilian (?) Technology companies.
And asking that the request for content data be conductive to the systems rather than through Brazilian procedures of the company. The author claims in Brazilian investigations, the private communication data under the control of ISOP with overseas but use international corporation procedures even if they have a branch in Brazil. Because it interests that the applicable jurisdiction in the case should be one where the company acquired to our location, instead of the one where it offer the service.
The Brazilian prosecution disagree with this decision. It contradicts the Harmonic of the Brazilian system by the Internet civil rights framework.
According to the law and jurisdiction we have our civil procedure code, and now our consumer code that follows the U.N.'s document then Internet governance from 2011, which establishes guidelines in favor of consumer of this services determining that such companies must comply with the laws of the location in which they provide their service.
Concerning jurisdiction ‑‑ sorry, concerning jurisdiction Brazilian law, it is very clear that the action or processing of data communications performed in Brazil by a service provider constituted under Brazilian law with the not established in Brazil offer its service (?) Must follow Brazilian legislation.
Of course corporation between countries is very welcome, but just when it's really necessary and the country doesn't have another solution under their own law.
A lot would be needed when an ISP, for instance, does not have a bran inch Brazil or Brazilian targets. And the Brazilian corporation is how to facilitate (?) To impose restraints.
To conclude I would like to reinforce that the Brazilian always looking to provide (?) And also extent to the Budapest Convention and this is facilitated from our point of view in the framework in our own countries. The countries wouldn't have to comply with so many different legislations.
I would like to compliment the work of Bertrand and their team for the amazing work with the discussions through our colleagues. So for us, the solution is cooperation. But not just inside, also between all the multi‑stakeholders. Thanks a lot for your time and thank you.
>> MODERATOR: Thank you very much. I like your final remark, the solution is corporation, because then I can really come back with you with any sort of unilateral.
Jumping to the next speaker I said in my opening remarks, international companies the potential for conflicts can be a problem. And I mentioned briefly the Microsoft case. Can you give us a sense what are some challenges the companies are faced with? Where are you looking towards the international solution and corporation just mentioned, please. In four minutes.
>> Sure, just give me a simple question.
First of all, just to give you a little bit of a recap because I was here at this workshop last year. And last year I told you, any of you who are here, the story of our warrant case which you just sort of mentioned, against the U.S. government in which our government in the United States seeks access to email data stored in a data center in Ireland.
At that time I noted it is about not about emails, it is about the principle of law, privacy, and interplay of international and national law.
And told the story of providing data to French authorities in just 45 minutes making the point that international cooperation, international cooperation, the frameworks exist and can work.
And the story of the Brazilian police seeking data in the U.S., providing it would have been unlawful under U.S. law, making the point providing for one country as law with a company like Microsoft may break another’s. The challenge, which you decide to break and why.
The Internet expression is clearly creating pressure in always. At IGF this week there are sessions that explore the advances made in economic, social and other benefits that the Internet has brought to the planet.
But it has also brought uncertainty and disruption and accelerated clashes of values around the world. The values are important, they underpin the legal frameworks in jurisdictions around the world.
While we are all connected to this global ecosystem it is right to acknowledge there is no universal interpretation of law in data at this point. (?) Can be helpful but also cumbersome. More importantly, as yet an unresolved balances act that must be managed between the rights of individuals, the rights of service providers like Microsoft, and the rights of governments.
One of the major platforms on the planet, Microsoft does have an interest as mentioned in getting these things right. We have over a billion customers and that's a big responsibility, pretty much 1/3 of the connected population of the planet. So we have corporations in over 122 countries. We have over 100 data centers all over the world.
Our mission is ambitious to enable every person and organization on the planet to achieve more. So it's clear to us that we need some kind of shared understanding of good governance on the Internet backed up by appropriate laws that have due process and safeguards.
For this global system, it's important to understand and reconcile the objectives of different stakeholders across the spectrum. The growing digital transformation of the economy and everything else, the future of the Internet of things and potential innovations already Big‑Data, artificial intelligence, many of these things just exploded since last year. All of these are potentially in the service of break‑throughs in things like climate science, healthcare, renewable energy, and all of these require data exchanged across borders and for communication networks to exchange that information securely and predictably and in a way that is trustworthy.
All countries want to realize these benefits, and if anybody is going to realize the ambitious sustainable development goals, that's necessary. But to do so, all the countries must ultimately cooperate to evolve the system of laws and norms to account for the increasing complexity.
Here we are one year later and in many ways things have not actually changed. Well Microsoft won its case in the court of appeals, it is now heading to the U.S. Supreme Court and I believe that the final deadline for briefs is January 11, coming up.
The issues in the case have not changed, but there is now at least a greater understanding of those issues.
One outcome of the Court of Appeals decision in the United States is movement in Congress to develop new legislation to update the law in the U.S. The international communications privacy act was introduced by senators Hatch, Coons and Heller and another in the House by (?)
And providing cross‑border access, robust process under international law, potentially could be a model for similar legislation in other countries.
The key point, as a global technology company we need clarity this legislation would provide. Need clarity on how to make the calls between jurisdictions. Need clarity on how to enact the process and on what our rights and responsibilities are. We need that clarity not just in the United States, but in every jurisdiction in the world in which we operate, and that is the central struggle for a global provider like Microsoft with both distributed technical operations which are necessary to actually enable the types of services we provide, as well as the fact that we have customers that are located not necessarily in the jurisdiction where the technology supporting them actually is.
And in many cases, we have transactional environments in which customers on either end of that particular transaction also are subject to different jurisdictions. It becomes a matrix case. And so far we don't really have a very good model for how to do that.
>> MODERATOR: Thank you very much for that perspective.
What I try to do here is to put people next to each other that are suing each other. Why we have Microsoft here and the us Department of State, which I don't think it is the entity sued but still with the U.S. government. But thanks for still showing up even though we are being a little naughty in the seating arrangement here.
Maybe you can provide a quick introduction to the current frameworks and how the U.S. government is trying to improve existing frameworks. Maybe new international frameworks.
>> I am happy to do that, and I warn you I have lawsuits ready to drop depending on how this panel goes. Thank you Christian including the background at the top we agree with, challenges for law enforcement and security officials.
I think our assessment is similar to yours in terms of the implications, highlight particular conflict of law scenarios and incentives that this creates for governments around the world towards things like blocking and data localization.
And from our perspective as the diplomats in the State Department we see a trend towards those things and I think there's a balance here. You know, we could be approaching a tipping point, so I wanted to come here and tell you about some of the things we're working on to try to improve the situation. So I'll just try to go through them quickly so there is time for discussion.
The first thing is we're trying to promote and advocate for solutions that currently exist. And so talking about things like the Budapest Convention, 24/7 network, and I assume we will hear about some of those things later in the panel. A big part of our work is trying to promote awareness of those things and promote ascension to the investigation ‑‑ and getting traction. There are countries joining every month and I feel we are making progress on that. It is not a total solution but things that make a difference that are available now, trying to bringing more countries into the fold there.
The second thing I wanted to focus on is efforts we are making to improve. We are not so mutually assistance treaties, if people are not aware, processed by which countries request assistance between each other in obtaining evidence. It's not just for electronic evidence, it is for physical evidence and the history of those things. They are not the only mechanism but the formal route for obtaining evidence.
They are consistently a sore spot because they are slow, as you mentioned. But I think there is a statistic I put in here, but in terms of our Department of Justice, the requests they received the last 10 years increased by 10‑fold for electronic evidence and so there's, you know, an element that this is not sustainable and we're putting sort of energy into trying to improve the process over the last few years. Trying to modernize the process, devoting additional resources, improving the tools used to respond and track the requests and streamlining the process itself. In some cases devoting particular individual’s time to respond to requests for countries, and working with the countries to try to improve the requests for some delays are limited.
So what we want, we want the request to get to the Justice Department lawyers quickly so they can act on them and eliminate back‑and‑forth, and questions about format, etc.
So that's the other thing, trying to improve existing processes that cause friction.
And the third thing we want to get to here, efforts to develop more efficient access to cross‑boarder and the next dimension in this space. I am not sure if this was discussed at all last year, but we've been considering the last couple of years in concert with people here who have been involved with it as well, it is no secret, but we have been trying to address the needs to access data overseas in a timely manner with appropriate protections. Came up with an idea of framework under which U.S. providers can disclose directly to a foreign government for investigations of a particular sort for non‑U.S. persons outside of the United States under the legal framework of the foreign country.
So it will rely on the authorization in the foreign jurisdiction to access the data under its own legal system and we have, you know, there is legislation in Congress that will be required that sets out some standards here which I am not sure it is worth getting into that level of detail at this point.
We have worked on a framework, lateral framework with the U.K. And this we think this approach could actually improve the process and I allow for efficient exchange of data, while being acceptable to the American public and the legislatures and people concerned of privacies and civil liberties. And you will hear more about that as we get to Greg.
But will I stop there for now and I am happy to take questions.
>> MODERATOR: Maybe just one quick follow‑up question. The procedure that the government authorities to another government authority, that procedure is lengthy, takes many, many months. And everybody says it works, but it is way, way too slow, that's why it is not working.
That's why you have the new protectional framework between the U.S. and the U.K. government. And they start a case, the U.K. authorities can get data directly from maybe the U.S. company rather than having to go through the very cumbersome system, right?
>> That's correct.
>> MODERATOR: And how would the potential framework between the U.S. and U.K., how would it apply maybe to other countries, to Germany or future E.U. countries?
>> Hypothetically, yes. I think the a way we are imagining this, there is legislation required to remove the statutes that prohibit companies from sharing this information to start with. As part of that legislation, it envisions bilateral agreements. So we've talked to the U.K. on a preliminary basis, and I think we view that as somewhat of a pilot. And if it seems like the kind of approach that works for both sides, and is able to sort of address all of the privacy, civil liberties, protections that we hope that it will, you know, after some kind of evaluation period I think we would look to potentially negotiate with other governments as well.
In the legislation, if anyone has looked at it, they will notice there are a series of factors that need to be evaluated under which the Department of Justice and the Department of State would seniority that a country meets some subsequent protective procedures. So there's a process by which you make an initial judgment that the country's laws and practices are sufficiently robust to support something like this, then you can potentially talk to them and form a bilateral agreement that could kind of fall under this heading.
So there's I think the way forward for expanding this that expands to be ‑‑ well if it comes to pass in legislation, proves to be something effective.
>> MODERATOR: Thank you so much. The next speaker, Gregory Nojeim. I don't know if you have any recent cases with the U.S. government. [Laughing]
At least we will maybe be on the same side, who knows.
We talk a lot about the challenges for prosecutors or companies between different regimes and for the U.S. government.
But we haven't talked much about human rights situations here. What do we think to think in human rights.
>> GREGORY NOJEIM: Thank you for having me, and the Council of Europe. I am Gregory Nojeim a Washington, D.C. group keeping the Internet open and free. And my piece of that puzzle is government surveillance.
I want to say, to follow‑up on Seth's comments. We need to strengthen the (?) system. It can be more efficient and still rights‑protective as it is. I think a lot can be done on that score. It is difficult to see it adequately scaling to handle what you see as the volume of requests if there was an efficient mechanism for turning over data to governments that need it it's difficult to see that.
So we looked at things like the possibility of bilateral agreements. And we ask ourselves, what needs to be in a bilateral agreement between two countries so that when data is sought by one country, one can be confident the human rights of the person who is the data subject will be protected.
So we look at the legislation that the U.S. Department of Justice proposed and we see a number of shortcomings. And they are all remediable.
One shortcoming it reserves to the Department of Justice and the Department of State complete discretion to decide what countries meet the standards set forth in the bill. That decision could be made based on findings of fact that are never made public. It doesn't have to be that way. It invites the possibility that politics, not an assessment of the human rights protections available, would be what makes the determination about whether a country gets one of these agreements.
We're concerned about the possible weakening of standards that normally pertain when a country today makes a demand for data help by a U.S. provider. We're also concerned about the scope of the possible provider assistance that might be demanded by the country making the demand is left undefined. And the result of that could be infringements on the ability of providers to offer end‑to‑end encrypted services, because provider assistance might mean that you can't do that, because you can't get access to data.
There's a risk of an end‑run around domestic law because there are broad share‑back provisions in the proposed legislation meaning. The government that demands the data, if it reveals information about a possible crime in the U.S., can share with the U.S. government and the U.S. can get that information without ever meeting U.S. standards.
And the proposal doesn't just remedy the slowness, it expands the kinds of data that would be available. Right now you want do an MLAB to get content in real time. There is no authority to do that ever. These agreements extend to real‑time surveillance as well.
I think these are all remediable and we are certainly working on language to address these problems.
What we are also working on is criteria for what ought to be built into any mechanism to deal with cross‑border requests. What are the human rights criteria there ought to be?
I will list some right now. They are derived from the necessary and proportionate principles which are principles adopted about four years ago by about 400 civil society groups. And those, in turn, are derived from national laws and from court decisions, including the negligence and proportionality under the European law. And these must be in the mechanisms we talk about today, the concept of legality. That means that the authority to gain access to data has to be articulated in a statute that prohibits conduct. That gives the person whose conduct is prohibited enough notice that the conduct is unlawful.
There must be judicial authority. (?) And evidence of the crime. And particularity, in Europe, that the data relative to the crime and specify the account for person for whom the data maintains. A means test, so if data is available without being intrusive, the less‑intrusive means used. The serious requirement. The crime, it can't be one of those stolen chicken cases. There was actually one, a stolen chicken case. It has to be a serious crime punishable by years of imprisonment.
There should be a required of notice. Notice to the data subject, that their data was sought and turned over.
And there should be minute ‑‑ minimum requirements. And transparently requirements, the country making demands has to disclose how often they make the demands, what are granted.
And the person whose rights are interfered with, at that they can obtain a remedy. Incorporated these criteria into mechanisms for maintaining data across borders I think will go a long way to making the mechanisms more acceptable to the public, thank you.
>> MODERATOR: Thank you very much, Greg. I think we will go directly to the co‑founder and deputy director of the information policy network and I think I called a multi‑stakeholder project here, but maybe you can briefly explain the processes that you are working on, and maybe some of the policy options that of identified. Maybe even since last year's session.
>> PANELIST: Yes, absolutely with pleasure. I think what is clear by the interventions we are at so far, there is offer-ability and uncertainty and the multi‑stakeholder model can be a very promising Avenue to develop the necessary operations and solutions we need.
Many of you in this room probably know that last year in November the first global Internet and jurisdiction conference of the Internet and jurisdiction policy network was in Paris, organized in partnership with the governments of France.
And the Internet jurisdiction and policy networks that three programs (?) And obviously focused on the outcomes of data and jurisdiction program.
This conference gathered over 200 participants from over 40 countries, and their result was a common item to the areas of corporation. And based on the areas of corporation the different stakeholders identified, we as the Secretariat set up this year contact groups.
And the contact groups on that jurisdiction worked intensely this year, comprising approximately 20 participants. It's a pleasure to see all entities here were actually involved in this as well. So there are representatives from the different stakeholder con still ‑‑ constituencies.
The result of the work released in November, the policy options document you can download from the website Internetjurisdiction.net.
And the work taking place this year between the stakeholders basically managed to identify building blocks for any regime that has to be found in the long‑term development of the global development economy and reduce incentives for mandatory data localization if no solutions workable can be found.
Those policy options are there to structure the global debate to the different actors can synchronize, and identifies different components that have to be discussed, and basically what Cathrin, one of the meetings organized in Paris, called the Manageable Chance. And the idea is to decompose this extremely complex debate to factors that can be discussed one‑by‑one. The building blocks or manageable chunks are important for any potential regime for access of e‑evidence in the cloud.
And something obvious for the people in the debates how it is addressed shapes the future of the cross‑boarder Internet and I think it is important to avoid unintended consequences by a lack of coordination by different processes that run parallel. On the panel the major processes and others are there. The efforts in the European Union that Cathrin will talk about after me. The Council of Europe, the United States with the Microsoft case, the U.S.‑U.K. agreement and many more. The work in the program allows to map the perspective perspectives, compare approaches with the goal of policy adherence. All actors, all stakeholders have different perspectives on the issues and the Internet jurisdiction policy network has a new central place to discuss the issues is sort of a connective tissue that allows different processes to talk to each other and get feedback on perspective next steps. And important for coordinated actions.
For example, questions like what are the types of crimes in criminal investigations that should be covered? What procedures could be envisioned? And this is very important, what would be the future scale-ability of any evidence that is explored by different actors.
The policy documents have details and elements and components to help structure the discussions and I encourage everybody to have a look. And also to discuss those policy options in the stakeholder groups and processes.
This document will serve as the input for the second global Internet and jurisdiction conference which will take place at the end of February, and it will be organized in Ottawa in partnership with the government of Canada.
>> MODERATOR: Can you give us a little teaser of what will come out if you are looking into the crystal ball? We are so excited and want to hear a little bit. Give us a teaser, Season II.
>> I think Ottawa matters. It will be a unique opportunity, it is a critical mass of actors that will gather there to discuss how to proceed together.
And what we as the Secretariat hope will happen in Ottawa, the different stakeholders can identify a clear road map forward. Now a time perspective you might have heard in one of the first sessions of the IGF this year the government of Germany is going to be the partner for the third global Internet jurisdiction conference in 2019. The time between Ottawa and Berlin matters. And we believe as the Secretariat we can progress towards the development of solutions to hash out different components. Ottawa is the moment for the different actors to agree on focus and the concrete next steps to structure the debate and to provide a path forward. Because what is needed is operation solutions to get out of this current dilemma situation.
>> MODERATOR: Of course and in this session, if we already find all the solutions, it is bad for business for Paul. But chances are that we probably will have to go to Ottawa and enjoy the interesting discussions there.
All right, we are going straight next to the European Commission, Cathrin Bauer‑Bulst. There are no other political groupings of the member states so connected economically, politically as European Commission. What is the European Commission doing to stream line and improve, we hear can be the easy first steps. Are there steps to incorporate more with the companies, including Microsoft?
Also, what are some answers you give to member states when they ask the European Commission to come up with solutions for enforcement of the jurisdiction in cyberspace. All of that was way too much.
>> CATHRIN BAUER‑BULST: Yes, thank you very much for having me. I know I am supposed to talk about solutions, but I want to take 30 seconds of my four minutes to talk about the problem because I wasn't here last year, maybe some of you weren't either. And there are a couple of figures I just want to get out there.
So I looked at my phone recently and tried to find an app that was based in Belgium or that stored data in Belgium, which is where I live and I found two. My local transport app and my banking app. Everything else I have from somewhere else.
There is often very little section between the services we use and the jurisdiction we live in. In the European Union we have done everything to facilitate it. Opened our market to services all over the world. However, when you are viewing it from the law enforcement perspective, all of a sudden this wonderful space has borders going up again. As soon as data is stored elsewhere or as soon as the provider is located elsewhere, you're stuck.
And this is not a small problem. We surveyed European law enforcements recently in the big process that Christian was referring to and found that in 80% of the cases currently investigated, digital evidence plays a role. And in 70% of those cases where digital evidence plays a role, the evidence is located outside the investigating state.
So this is not an insignificant problem. And when you also look at the fact we are doing everything to minimize data and in particular metadata, and usually gone in seven days. And when you look at the time for a request, it becomes obvious this is not the best way forward.
No matter what we do to change mutual assistance it cannot keep up. There is no way our processes can match that speed.
On top of that, there's actually not a lot of interest on the part of the governments who are on the receiving end of the corporation requests to work on those cases because usually neither the user, nor the case, will have any link to their jurisdiction. It is where the data is hosted or that the provider has its seat depending on the connecting factor. That much for the problem I know we used more than 30 seconds.
And what are way doing? The European States picked up and asked the commission to do things. Fix mutual assistance, come up with better rules for direct corporation across borders, and want us to propose options for the problem of jurisdiction more generally.
So we ran a process for a year that also was multi‑stakeholder in nature. All of the entities on the panel, except for Brazil, participated.
And the basic concepts we came up with were then presented to the European member states in June of the year in a package comprising one side practical solutions to fix how we work with each other under the existing framework, the other side options for legislative solutions for member states to tell us what they want to pursue.
A few hue lights within the EU, established a platform to judicialize requests so we can go from court no one member state to court in another to ask for data. Still traditional judicial corporation, deadlines about 120 days all steps comprised. It is not everything to address the process, but are trying to do what we can to speed up the process within the deadlines.
Also investing $1 million in training for judiciary law enforcement in cooperating with the U.S. -- [phone alarm ringing] I am going to take an extra minute if I may.
>> MODERATOR: I am impressed.
>> Cooperating with the U.S. department of justice in assistance and the direct corporation possible for non‑content data with U.S. companies that law enforcement and Jew ‑‑ Jew ‑‑ judiciary don't waste time.
And the companies and the DOJ, that very much helps ensure the quality of the request and also creates a relationship of trust that facilitating the cooperation.
And there is a couple more things we are doing. Invite you to enter European evidence into search and see what we are doing.
And asking us to put towards proposals on cross‑border production orders, possibility for the judge on one member state to compel another in another member state or offer services in the Union to provide data.
Secondly the possibilities for direct access, which are situations, for example, you are dealing with an infrastructure, no service provider whom you can ask for assistance. For example, a dark web forum where child sexual abuse issues are exchanged, that is unfortunately a freak case we are dealing with in practice. There the member states wanted agreement among themselves as to under which circumstances such forums can be accessed directly by law enforcement.
Those are the two solutions we are currently working on. We will be presenting hopefully a legislative proposal to our College of Commissioners next month. By the time Ottawa rolls around, we will have a little piece to add to our solution. I am happy to say as of now I have responded to all of Greg's requirements and that's a good thing.
And just in terms.
Connecting factor, one really important thing for us in the process is that data location is not a connecting factor we can work with unless we also want data localization requirements. And we definitely for the Union decided that's not the way forward because it interferes with the freedom of establishment of the businesses data (?) And we are trying do everything we can to line up with the very important work that has been done under the Budapest Convention already and taken place under the protocol. Ensuring our solution is not just compatible, but takes the cooperation for the E.U. states deeper because we have the trust among the 28 we can build on. And I think that is a good to the next speaker.
>> MODERATOR: You are the perfect panelist and moderator. You are timed and better organized, right? And you provide the bridge to our final speaker, Alexandru Frunza‑Nicolescu. More than 50 countries also trying to provide an international framework here.
Maybe you can briefly give introduction to some solutions under the discussions at the Council of Europe under the framework of cybercrime.
>> ALEXANDRU FRUNZA‑NICOLESCU: Thank you, I will try to use my five minutes to brief the people on what is currently the work you are doing in order to improve criminal justice access to cross‑boarder evidence.
And the context, the content 47 member states. And the Budapest Convention on cybercrime, framework on cybercrime (?) And the commit representing the parties to the Budapest Convention. Assessing the quality of the implementation, and capacity‑building programs or cybercrime delivered throughout the office in Budapest, Romania.
And the framework on cybercrime evidence and, currently 56 parties and 14 observer states and has countries who use the Budapest convention as guideline for domestic legislation.
Now, the convention in early 2000 and entering into force in 2004. While neutral language in order to be adapted to current proposal and future technologies, the fast‑paced developments of ICTs made the additional provisions are necessary to provide solutions for criminal justice to protect the rule of law in cyberspace.
In the last year, the cybercrime commission focused on mapping the current and future challenges to criminal justice in cyberspace, and possible solutions to address these challenges.
Based on the work of two working groups, the trans-border group and the (?) And information from law enforcement, private sector, academia, civil society, data protection and European Union bodies, starting the process for additional protocol of the Budapest Convention. June 2017, the terms of this protocol were adopted and the group established in this sense.
According to the reference for this additional protocol, this could include four types of provisions.
The first one is represented by provisions for more effective mutual assistance. This could include a simplified request for (?) Information or on emergency situations. And production orders and requesting English language, etc.
The second type of provision records provision for direct cooperation between criminal justice authority in one country and service provider in a different country with regard to subscriber information, data, or emergency .
And (?) Current practices on exporting data.
And safe guards including data safeguard requirements.
And an important aspect discussed during the first meeting, the way ahead on corporation and coordination by all stakeholders. And decided to have close meetings during this process. And the meetings with draft concepts and text are available. And the conference from 11 to 13 July, 2018, please save the date. And an opportunity for exchange of views.
In addition having in mind the current development ‑‑ sorry, in addition the current developments within the European Union, the one that Cathrin already mentioned about, and the fact 26 countries are European Member States and parties to the conviction, the political drafting group drafted the process in close coordination with European Union.
And the issues are complex and it may be difficult to reach consensus on options currently on table. However, unless solutions are made upon, governments may be less and less able to protect individuals and their rights in cyberspace.
To conclude I invite everybody who can contribute to the process to be involved and engaged with TCY from early stages, and the first is the conference from 11 to 13 July in France. Thank you very much.
>> MODERATOR: Thank you very much. Now we heard from all of our speakers here. Heard some of the concerns and challenges for prosecutors in Brazil. Heard some of the challenges for company who often are faced with conflicting requirements, conflicts of those. And we heard from the U.S. government, which is working for improving existing measures, namely in that, but also thinking new, how we make new processes, namely the U.S.‑U.K. more direct framework for access to evidence.
We heard some of the human rights requirements that needs to be built into international frameworks, and maybe even improve some of the existing ones as well. We heard from our multi‑stakeholder project here. How if you bring together different stakeholders you can come up with different solutions that will be revealed in Ottawa. And the commission next month, you are competing here with the Internet guys. And already next month will have a legal proposal, legal framework presented for discussion.
And I believe you already discussed this with different stakeholders from companies and governments, etc. And then finally we heard an even broader plus 50 country accounts of your framework that also will be presenting progress. I didn't understand, what is the timeframe for this additional protocol to the cybercrime convention?
>> According to reference for this additional protocol, if everything goes well the drop should be ready late 2019. And deciding on it during the TCY plenary in December 2019.
>> MODERATOR: Maybe ready in that time or so, very good.
This is going to get more excited, because hopefully you have plenty of questions and maybe we have some questions from some of the remote participants.
But I would welcome any questions here from the floor.
>> PANELIST: I have a question for Alexandru. So the work plan says there is a consultation in July of 2018. But it also says that an inventory of provisions for the protocol should already have been developed, reviewed and adopted. There would be five meetings of the protocol drafting group and the protocol drafting plenary prior to consultation.
You will already conducted first and second readings of the proposed provisional protocol prior to the July consultation. When can we expect to see a draft?
>> ALEXANDRU FRUNZA‑NICOLESCU: The first was a brainstorm, different types of provisions to be discussed. And the group divided in the break‑out groups and discussing different types of provisions, but only on the level of concepts. So the first moment to ask feedback from all stakeholders will be when something possible is there. Graphics, in order to be able to receive. To receive feedback.
>> I guess my point, there will be a second reading prior to the July meeting. That's what it says in the work plan.
>> ALEXANDRU FRUNZA‑NICOLESCU: No, I am afraid this is not true. There wouldn't be any reading, any text until July that will be discussed. There will be different type of provisions discussed within the break‑out groups and they will be presented for the plenary meeting in July, the meeting that will receive the conference, and they will be presented for discussion during that.
And there are two types of groups. There is a protocol drafting group, the one that is drafting the protocol. And the protocol drafting plenary. The one that decide on the further steps with the protocol. And it is comprised by all the TCY parties and observers.
>> I hope that provided some clarity. There is a question here. If we have any we go to of wards.
>> I am Frank can security in the Netherlands and former U.S. I have guess for Greg and also a question. One, iragree with your one comment about the MLAT process as course as it currently is and what it may become, maybe never scaling to the needs. And former cyber task force officer I can see why that will continue to be the case with the rise in evidence.
And some of the comments and concerns you had, especially related to human rights. One was the comment about the share‑back of data.
I think again I would agree that's easily ‑‑ there's a solution to that in the sense if we can ensure it meets the probable cause standards of U.S. law enforcement and how they were to receive that data, then they can act on it. And I think that's currently the situation we have, when we do have colleague from abroad sharing that information. If we are meeting the same standards and that was articulated and verifiable I think we can agree we can find the solution to that concern.
The other is some concerns about notice for those having data reviewed or seized. One of the topics I typically encounter when we talk about human rights issues is that we need to, I think, focus on human rights of the victims involved in the crimes. And we look at cases of child exploitation, human trafficking. Cases where there is immediacy of need and the ability to address the crimes as soon as possible. And I think it should be focus on that and the rights of the victims.
The question I have, when the comment was made about if a solution would be bilateral agreements and if there was discretion at the DOJ level within the U.S., and a concern for how the discretion would be used, I think the analogy I would use, on you how we can look at it the current processes we use with Interpol on red notices, and there is decision made on whether the red notice will be issued. Not only on that nation, but if it needs human rights standards as well. I want your thoughts on that and maybe any other member of the panel if that is considered as a solution, in addition to what was already mentioned as far as how we can look at whether through international data access warrants, or a panel if you would to address these concerns. And that they would meet those of both parties involved, thank you.
>> Notice, discretion and share-back. On the share-back if there is probable cause found by a judge that it met the probable cause standard, we'd have no problem with that. That requirement is not in this legislation. Thank you for your support in adding that.
On notice, notice to the target of the surveillance can be delayed in order to protect the integrity of the investigation.
On the discretion point, the point I was making is that DOJ and State have complete discretion to decide with which countries the United States will enter into these agreements. Ideally there would be some super national decision‑maker that would say these countries can enter into these agreements because they both have strong human rights standards. There isn't such a decision‑maker.
The best thing we have come up with that deal with that problem is more transparently. Require the government, the Department of Justice, to publish a report about why it thinks that these country's processes meet the human rights standards articulated in the legislation. And then make that public. Give people a chance to comment on it, and then the Department of Justice and State there make their decision after receiving the commentary it
>> AUDIENCE: The only follow‑up question, would that be an issue, creating more reports on the potential violations of human rights for other countries?
>> Yeah, we love writing reports, so that's always welcome.
I just want to sort of set the stage for people just on this, because it is sort of getting into the U.S. domestic policy. Just so people understand where things are at the moment.
There is a draft, a piece of legislation with our Congress. Nothing inequitied, no final decisions. We have the process of public debate that will ‑‑ well things have sped up in our legislative process recently, I am not going to make any predictions. This is where we are right now. There is a piece of legislation and it's on the web, anyone can look at it, it's not hard to find. And the questions raised by Greg and others are about specific elements that are in there.
I will say that there was substantial discussion within the USG of each of the topics. What we decided to do is put out the legislation. We hand it over to Congress and see what they would do with it the question is whether the American people and sort of this community and the Congress themselves are comfortable with where we've set sort of the balance points on all of these issues, right.
And so the issue with the round‑tripping or the pass‑back, you know, where do you ‑‑ how do you deal with that, right? Obviously the issues that Greg raised on the other hand. If there is a foreign government that has information about an imminent attack, statement we do want to know about that.
So what are the parameters and how do we deal with that? What is the place to put this or the balance point? I think they are legitimate questions. I think a lot of what Greg addressed is in there some way or another, and it is the question of getting the right balance and whether it is something that everyone is comfortable with.
That's where we are. In terms of the specific question, Frank, I think, you know, I think the details of how we do the evaluation are still to be determined. You know, we don't know if this is going to become law, and if it does, what the requirements will be and what it will look like and what the process will be. I think it will be sort of early days to speculate.
I think we are expecting it to be a pretty substantial requirement on us to make that. We are hoping to get a lot of flexibility. We want this to be something that can happen and could work. If it requires consent of the Senate, like a treaty, then that will really hold things up. If it will require extensive documentation reporting we'll do it but we do like some flexibility.
So I don't think anything is on or off the table decisively.
>> A quick question to the European Commission. If there were a bilateral framework between the U.S. and the U.K. is that something that the E.U. as a whole would be interested in having a bilateral framework? What are some of the safe guards that would have to be in there.
>> Thank you Christian, if I may briefly come back on the question of the share‑back this is something we looked at and identified two angles.
First of all, as the colleague from state was saying, there are situations where you want information about intelligence, especially situation of imminent attract. Prevention side of things. There we didn't see such an issue if there is information France received from a German provider pointing to an imminent attack on German territory was shared back with the German authorities.
But the second question is the use of the evidence in court. Actually here the situation is quite different. As law enforcement, you have to prove the information or the evidence that you gathered was gathered in accordance with your national standard. And if that was not the case, then you cannot use it in court. And that very much limits the impact or the risk of share‑back for the purposes of use in court. If we have a country with a lower standard, and I think that's the implication here, sharing back with a country with a higher standard, the evidence is not useful in court and the check is already built into the system.
And also on this aspect of what we're expecting from each of the assistance. I think we have to be clear and raised the important point on human rights. The process was not built as such to protect the human rights of the user, it was built to protect the sovereignty of the investigating state. You look at the human rights of the user it is in many cases very hard to do for the requested state, because very frequently that user has absolutely no connection with the requested state.
You are often looking at a situation where there is the German authority investigating a German case with a German suspect who used yahoo email. The U.S. government has absolutely no information about possible legal privilege or immunities of the German citizen, because that's not something they have access to.
And I think that's also where we need to manage he can expectations what the assistance can do. As to the agreement, of course, the U.S.‑U.K. agreement is something we are also looking at from the perspective of the E.U. as a whole. And we think that's in terms of the harmonizing that has been done. And also the human rights perspective that they would meet the criteria set out and is, of course, interested in having an agreement that would also maintain the strong levels of safeguards in place on both sides, and find ways the differences can be combatable among one another.
>> MODERATOR: I remind everyone at the very end in 15 minutes you each get one minute to summarize your point. If you feel you have not heard. And Cathrin will take her clock and I will use my hammer.
A question in front?
>> AUDIENCE: I am sorry I missed it last year shocked to hear the E.U., the investigations that have information in other countries and on average 10 months. I am wondering if there are countries where law enforcement required a copy of data stored locally. I heard some in the E.U., and if there is a mapping of this? How many law enforcement jurisdictions today require a copy of the data stored locally for these reasons.
And a question to the Microsoft person. You had 45 minutes you can give the data for the (?) Case. What who that be under? Inlets or something Greg would be worried about. How about that compare to the normal 10 months?
>> MODERATOR: Thank you going to Cathrin once. Nobody want the free Internet to be stored locally, but is there a measure and yet you understand that the law enforcement want quick access to that data. Is there a mapping of countries that require law enforce. Data to be stored locally?
>> PANELIST: We don't have one at the E.U. level. I am aware of many countries, and in the E.U. member states, what you say is correct. When it comes to metadata stored for purposes of people come applying with the German data we tension obligation, which is not in force right now, it has been suspended by the German authority pending judicial review.
But if that legislation is active, then metadata that is stored because of the retention obligation has to be stored in Germany. So we have a couple of very limited cases within the U we are aware of. No systemic mapping, but the majority have no such data storing obligations.
>> MODERATOR: Thank you stretch. Paul, which legal framework was used when we had the terrible attacks in Paris?
>> PAUL FEHLINGER: My understanding how it works, our response time 45 minutes from the time we got the request. The French authorities determined the suspects had Microsoft mail accounts. The French authorities contacted the F.B.I. the F.B.I. contacted us. We provided the data to the F.B.I. after validating that their request was legal and the F.B.I. provided the French authorities. And the turn‑around time 45 minutes. And the total time still less than several hours because it was an ongoing thing.
>> The operative statute in the U.S. has emergency exception that permitted Microsoft to make the disclosure on the emergency basis without going through that MLAN system.
>> MODERATOR: Another question, maybe two this time.
>> I am Ellen from the U.K. government. Just to reinforce the priority that we place on this, as Greg knows as well having dealt with my colleagues in the Washington embassy time after time. I would be recommending reading to people all day. The national security advisor testified in Congress, pretty much we let a sitting official do that because of the importance we place on this agreement. And you can read his testimony which is public on why we think it is such a pressing issue.
I would say that there are lots of conversations, people and arguments and we know lots of other countries interested in having similar relationships. We have not signed ours it is in the works, requiring the U.S. to change legislation. We think it is what other countries can profit from.
And right now the main flow is the U.S., it may change in the future. There are other countries interested. And how can you benefit from the arrangement. The key thing, how do you extend things. Like Greg said what is the minimum criteria you look at. And this is an opportunity to improve your process we can't to minimize data localization, and up the standards and are looking to sign sort of similar agreements elsewhere and that a good opportunity. We just have a close relationship with the U.S. and relatively similar systems. But I stress we don't have the same system and may not meet the exact same standards in the U.S. in how they word it. I know that is a point of contention with U.S. civil society. But we have different laws, three processes. We have a parliamentary system. And you have to respect the differences and try to figure out how you sort of deliver that objective standard, versus meet, you know, a particular standard which has been instituted by another government.
>> MODERATOR: Thanks for the clarification.
>> Hello, I have a question for the Brazilian representative. You mentioned the civil right in Brazil, and so it's a legal tax involved for guarantees, principles, rights and duties on the Internet in Brazil.
Also mandates companies to keep data for any legal means, but sometimes I actually like in the actual situation of Brazil, I have the feeling sometimes legal authorities are like promoting some sort of overreaching or power of abuse on like such requests for information because, I mean, the amount of information far should like ‑‑ it is far more than you should consider like useable. And I would like to know what are your thoughts on that.
>> Thanks a lot, and you're right on Article 3 of the Internet as you know it. We have principles, and of course all of the needs and want to respect.
You are right in use. Unfortunately, some judge we have the federal prosecutors and state prosecutor, and federal judges, state judges. Sometimes we don't need (?) To prosecute a crime. The metadata is enough. And sometimes we just with the metadata the judge don't need to respond with we can I think in Brazil call [speaking non‑English]
And it is because of this we had a decision of a judge after applying affects because a company didn't give some data to continue the investigation.
So what I can tell you, us from the federal prosecution office in Brazil, we are doing speech, we are doing workshops. We try to reach as most possible of law enforcement possible of judge people, that to use this resource that the law use, the similar civil framework as a last resort. And you persecute the crime, sometimes when you need more you don't have to have a panel that just reach the company and also the consumers. These we don't want, no one offers like it. Sometimes it's needed.
And I am going to finish, the problem is not to disrespect, the problem is disrespect of law. And it is respect of law can have answers and we have other answers that are more effective and respect human rights, also.
>> MODERATOR: Thank you so much for that response. I've sure you'll be talking a bit more afterwards. I think one or two maybe final, final questions. Or not. Didn't I see a hand over here? Any questions? Comments? One there, and then the final one. Yes, sir.
>> Patrick ‑‑ this comment came up in the legal group the first thing this morning, I kind ever make it again.
There has been huge progress in the sharing of cyber threaten tell against, in data, in history and government organizations. In the E.U. seeing arise from over two to 220 response teams. The amount of collaboration occurring is documented in the E.U. in ddconnect in many areas. And I am just wondering whether all of the discussion today could leverage the great degree of collaboration, which is already occurring elsewhere.
And I would also which to invite any members of the panel to contact me, some of us know each other, we have a legal working group that is operating in London and they would be very interested to have suggestions as to how some of this leading practice cross‑fertilization could be taken forward, thank you.
>> Yes, thank you Patrick for that question. We have really made some major steps forward on cybersecurity and intelligence sharing.
One challenge that we still face, at least within the Union, is to put law enforcement in the loop. Member States are quite hesitant to have threaten tell against necessarily shared also with law enforcement. One simple reason, law enforcement is bound by very rigid processes.
In many countries they have to launch an investigation, they have to undertake investigative steps. And that may throw a wrench into the cans that actually deal with cybersecurity threat. And it creates issues for both companies sharing intelligence and sometimes the authorities.
That having been said we hope the situation can evolve. The other challenge, of course to have evidence that we can use in court for law enforcement it needs to be obtained in a specific manner. The way threat intelligence is shared does not always immediate that.
Those are the two things we are struggling with in this context, but something we are active in exploring and take steps to get them involved. And the European cybersecurity agency that is just expanded. And we are hoping to, indeed, build on this more in the future.
>> MODERATOR: Thank you so much. One final quick question.
>> Not so quick, I am afraid. (?) I understand the commission representatives responds to slightly getting in the way of the happy narrative that is sort of developing in the discussion so far. The sort of moling of various instruments that the department of justice delivered the last several years in cases like (?) In particular. Whether you think institutionally the institution fixed the problems with the internal human rights advise that clearly was coming and that the mechanisms that you're now developing would be robust against similar legal challenges in the future.
>> An easy one to end the session, no.
That also brings us back to the point about surveillance. To be very clear, what we are talking about here is nothing related to (?) Retention. We're talking about ‑‑
>> AUDIENCE: [Speaking away from mic]
‑‑ more broadly, about the directives going right through the process to be found so problematic in accord with the charter.
>> Right. The court pronounced itself on data retention specifically and the collection of volumes of data. That taken together can reveal important information, for example, about the location of a person over a given period of tile. So that might allow if access granted to law enforcement they may be able to identify where they live, work, how they get from the place they live to where they work. It is quite sensitive in terms of the information it can reveal.
What we are dealing here is neither an obligation to retain any such data, nor an obligation to ‑‑
>> MODERATOR: You will be able to talk more in five minutes and then you can ask.
>> In terms of ‑‑ it's very hard without going into the details of the instrument to talk about how it meets human rights standards, which we believe it does otherwise we wouldn't be proposing it. And we also read the rules of our own court. And talking about the impact of the rights than the impact of what the digitalized Ireland judgements are dealing with.
>> And anything legally has the high bars of the fundamental rights in the E.U. and has to hold up in court.
>> But it has to be seen by the court itself.
>> MODERATOR: Very good. Before we go to the final summarizing points in each of our panelists, I want to take a big thank you to who will be summarizing points made and it will be made available online, as well as the presentations and the links for the information including from Brazil.
With no further ado, one minute each to summarize your point, please.
>> Okay. First of all, I would like to say we are here representing like I said stakeholders. If you look at the word moot stakeholders we are not here far away of being enemies, we are here together. We are holding hands against one enemy, the bad users of Internet. And the bad users create crimes and sometimes very critical crimes like child abuse, terrorism, etc. Yes, we must incorporate internationally, and we must and are doing it in the federal corporation inside of our country. With some ISPs, with other law enforcement, and with civil society.
And I would like to say as Paul said, we are in the second and third year here and I am glad we are still here discussing it and bringing up again this issue and developing so we can step‑by‑step go forward. I believe that, thank you all I lot.
>> So I think the real summary is we need to keep working on this process. We need to keep working on it together. We need to learn more and more about where the definitional boundaries are between subjects so we can actually craft better rules for jurisdiction. From a tech community perspective or Microsoft perspective as a global cloud provider.
This is a global problem. The patchwork of legislation we are likely to get in the future, but it would be nice if the legislation is harmonized as nicely as possible. Especially the idea that any individual country wishes to assert jurisdiction over extra‑territorially in other jurisdictions where we create global chaos, which is what the foreign case is about, that's a problem.
Other than that, we really want to make sure that we have clear and concise rules to follow.
>> Because county also not tolerate it and they shouldn't tolerate it. It can't be the case that people commit crimes and they are not prosecuted because the evidence isn't available for technical reasons. I don't think that's going to survive much longer.
So when you look at solutions, I hope that we incorporate human rights protections that I outlined earlier, around which I think there is a growing consensus. And no, they don't have to be U.S. standards, they can be articulated, I think, in a way that would be acceptable to many countries.
I will add one more thing: When it comes to coming up with new mechanisms for dealing with this problem, the entities that are working on creating those must‑have transparent processes, transparency builds trust. And a lack of transparency builds suspicion, distrust and resistance.
I just urge as people are working on things, even the U.S.‑U.K. agreement which is drafted but not public, those things ought to be made public so there can be commentary and improvement from other stakeholders.
>> MODERATOR: Thank you very much.
>> Thank you. I think it is clear there are urgent challenges and the landscape we are looking at how to follow them. And I think you have to ask yourself what is the alternative? Can we afford not to solve those questions? I believe not. And it would have fundamental impact on the future of the Internet, the cloud economy, and the digital societies and how the national and global and open the Internet will be for future generations.
I think it is high time. I think what needs to be achieved is the structure of the global discussions. Very clear overview of the different ongoing processes. Where they are, what they propose, how they interface and how they interact. A big need for sustained coordination between the different actors. There's a big need for corporation among governments, among all stakeholders, among all different processes. And there is a need for solutions that can scale because Internet penetration is increasing around the world and we need scalable solutions.
And so I also take this opportunity to shamelessly say if you are interested in the second Internet jurisdiction conference there is a session at this tomorrow at 9:00 in room 9.
>> Thanks to the organizers and thanks to you all for attending. I have little to add, but just to say I think the challenge we all face is basically to determine now what else can be done to fix the existing processes and make sure we work as well as we can in the framework of those processes.
And for those cases where we decide the current processes don't fit, some up with legally sound and internationally‑compatible solutions to face the challenges that we address today, thank you.
>> I will conclude, I think we are all agreeing urgent solutions need to be taken to provide the criminal justice authorities for instruments to control the rule of law in cyberspace.
I think we are also agreeing on the fact that individual rights should be protected, become the individual rights of victims or the individual rights of suspects within this framework.
And I think that developing such a framework under the Council of Europe organization, human rights, rule of law and democracy can give sufficient warranty the fact this interest would be balanced and solutions so that all interests will be covered.
>> MODERATOR: Thank you everybody. Please join me in giving a round of applause for our panelists here. Thank you.
[Session concluded at 16:30 p.m.]