By An Nhien, Iman, Liudmila, Timothy and Alice
By An Nhien, Iman, Liudmila, Timothy and Alice
In the ever-evolving battle against serious and organized crime, law enforcement agencies (LEAs) are turning to a new weapon: lawful hacking. But as the supporting role of using hacking techniques by the and other agencies becomes more prevalent, questions are being raised about the impact on fundamental rights, particularly the right to privacy. With events like the high-profile EncroChat case and a landmark decision of the Court of Justice of the European Union (‘CJEU’), the legality and implications of hacking techniques in general, and the supporting role of Europol in facilitating lawful hacking in particular, are under intense scrutiny. Join us as we delve into the legal limbo and decode the delicate balance between privacy and public safety in the realm of facilitating lawful hacking by Europol.
What is Lawful Hacking?
There is no singular definition at the EU level. Similar terms such as “lawful hacking”, “law enforcement hacking”, “government hacking”, or “network investigative techniques” are often used interchangeably. However, Liguori argued that “lawful hacking” could be the most appropriate term as it broadly implies both the technical means of this investigative method and the lawful nature of the activity. Hence, he defines “lawful hacking” as the use of hacking techniques by LEAs to gain access to computer systems and networks for the purpose of investigating criminal activity. Simply put, LEAs would exploit the vulnerabilities of software, hardware, or firmware, to gain access to technical devices and then extract data and evidence from such devices. For instance, LEAs can conduct a forensic examination of seized smartphones after using algorithms to find the password of such smartphones.
Europol has declared the need to use lawful hacking due to the strong encryption on electronic devices that undermines the investigation and prosecution of organized crimes as the data is unavailable or unidentifiable. The use of encryption has increased the number of serious crimes, which has been identified by Europol as a threat to public order and safety, the efficiency of the criminal justice system, and the rule of law. On the contrary, the use of lawful hacking itself can also pose risks to the protection of fundamental rights. Indeed, the application of this method can, for instance, potentially interfere with individuals’ privacy if LEAs excessively access personal data without sufficient valid reasons or legitimate aims. As such, LEAs’ use of lawful hacking has become a contentious issue in the European Union (EU), raising questions about the balance between LEAs’ needs and individual privacy rights. The landmark is a stark example of the potential impact of lawful hacking by Europol and national LEAs on fundamental rights, particularly the right to privacy. Keep reading as we uncover the ramifications of lawful hacking, considering the EncroChat case.
EncroChat’s Downfall: Privacy at Stake.
In the world of encrypted communication networks, EncroChat was the king of security – until its downfall. EncroChat, an encrypted communication network advertised as a secure means of communication with complete anonymity, was dismantled by a French-Dutch joint investigation team in July 2020. Specifically, in the Encrochat case, LEAs hacked into a secure messaging platform that has been believed to be exploited by criminals, gaining access to private conversations and gathering evidence and leading to the arrest of several suspects across Europe. While the investigative method of lawful hacking helped in capturing criminals, does it also negatively impact the privacy of other normal users like us?
Article 8 of the European Convention on Human Rights (ECHR) guarantees our privacy rights. However, the EncroChat operation involved the development and distribution of malware disguised as an update, raising questions about the legality of the evidence obtained and the right to privacy. The lack of transparency in the methods used has caused uproar in legal circles, with debates about the potential misuse of lawful hacking. This means that while LEAs might have legitimate aims when they broke into the EncroChat system, they should do this very carefully because of the complex legal issues that arise alongside them, especially those related to privacy protection. In short, before deciding to apply or assisting the lawful hacking application, LEAs must take into account whether and to what extent this method can interfere with the individual’s privacy.
Legal Limbo: Hacking Techniques Challenged by European Parliament and CJEU.
In a report published by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) in 2017, even before the EncroChat case, concerns about the legality of lawful hacking activities conducted or supported by LEAs were raised. According to the report, there is a risk that the use of hacking techniques may infringe on fundamental rights. These concerns have been further amplified by the CJEU’s decision in the case of Accordingly, the CJEU ruled that the UK’s regime for public authorities’ retention and access to communications data, including LEAs, was inconsistent with EU law. The Court held that communications data’s retention on a general and indiscriminate basis, without any differentiation, limitation, or exception for the objective of fighting crime, was impermissible.
Privacy vs. Public Safety: Decoding Lawful Hacking by Europol
Although there are concerns about the possible violation of privacy rights by lawful hacking, it should be noted that this right is not absolute as it can be restricted under certain circumstances. Simply put, your privacy is only respected if it does not hamper the protection of the fundamental rights of other individuals or, on a larger scale, the interests of public safety/national security. If your privacy affects the latter, it is justified for you to “compromise” your interests for that of public security when you are legally requested, for instance, to provide access to your personal information by LEAs. It is, therefore, a matter of balancing different (and perhaps opposing) fundamental rights and interests of different parties involved. Concerning the use of lawful hacking for investigation purposes, one of the most important tasks of LEAs is to balance individuals’ right to privacy and national security, public safety and/or other individuals’ fundamental rights. To do this, Europol must refer to the Charter of Fundamental Rights of the EU (The Charter) and the ECHR since these legal documents protect and balance fundamental rights within the EU.
For instance, Article 8(2) ECHR states that a public authority cannot restrict privacy right unless it adheres to the law and is necessary to protect national security/public safety, etc. This interpretation was confirmed by the Court in Malone v. UK, ruling that a method allowing communications interception to support investigations by LEAs was essential if it met conditions provided by Article 8(2). Three main conditions for a lawful interception by LEAs include:
- such interference/interception is provided by the law;
- it is necessary and proportionate, and
- it aims to pursue legitimate aims such as the protection of public safety or national security or the prevention of crime/disorder
Since lawful hacking is one example of lawful interception, it is also subjected to these requirements. As long as the three conditions are met, the role of Europol in supporting lawful hacking does not violate the right to privacy enshrined in the ECHR and the Charter. Europol, in the joint Eurojust-Europol annual report on encryption in 2021, emphasizes it would follow such requirements by stating that their technologies must be accompanied by suitable protections, such as standards of necessity and proportionality to ensure the admissibility of collected electronic evidence in court. So, don’t worry whenever the LEAs are hacking your devices because they will respect and protect your privacy while doing so.
- Europol’s Accountability: Tension Between Secrecy and Supervision - July 16, 2024
- The Fundamental Rights Officer: Just what the EUAA needed - April 11, 2024
- The Role of Frontex in Enforcing ETIAS - April 11, 2024