By An Nhien, Iman, Liudmila, Timothy and Alice
In the ever-evolving battle against serious and organized crime, law enforcement agencies (LEAs) are turning to a new weapon: lawful hacking. But as the use of hacking techniques by the European Police Office (Europol) and other agencies becomes more prevalent, questions are being raised about the impact on fundamental rights, particularly the right to privacy. With recent events like the high-profile EncroChat case and a landmark decision of the Court of Justice of the European Union (‘CJEU’), the legality and implications of Europol’s hacking techniques are under intense scrutiny. Join us as we delve into the legal limbo and decode the delicate balance between privacy and public safety in the realm of lawful hacking by Europol.
What is Lawful Hacking?
While there is no singular definition at the EU level, lawful hacking is described as the use of hacking techniques by LEAs to gain access to computer systems and networks for the purpose of investigating criminal activity. Lawful hacking can be classified into two categories:
- remote access to data in criminal investigations,
- forensic examination of seized hard drives.
Europol has declared the need to use lawful hacking due to the strong encryption on electronic devices that undermines the investigation and prosecution of organized crimes as the data is unavailable or unidentifiable. The use of encryption has increased the number of serious crimes, which has been identified by Europol as a threat to public order and safety, the efficiency of the criminal justice system, and the rule of law. However, it remains unclear what tools Europol has at its disposal when it comes to lawful hacking during investigations, as monitoring real-time information and accessing a cloud environment are separate actions and weigh different in infringements. The ambiguousness regarding the tools of lawful hacking used in investigations is an additional obstacle for suspects as such information is deemed classified under public security. LEAs’ use of lawful hacking has become a contentious issue in the European Union (EU), raising questions about the balance between LEAs’ needs and individual privacy rights. The recent EncroChat case is a stark example of the potential impact of lawful hacking by Europol and national LEAs on fundamental rights, particularly the right to privacy. Keep reading as we uncover the ramifications of lawful hacking, considering the EncroChat case.
EncroChat’s Downfall: Privacy and Fundamental Rights at Stake.
In the world of encrypted communication networks, EncroChat was the king of security – until its downfall. EncroChat, an encrypted communication network advertised as a secure means of communication with complete anonymity, was dismantled by a French-Dutch joint investigation team in July 2020, leading to the arrest of several suspects across Europe. But what does this mean for privacy and fundamental rights?
Article 8 of the European Convention on Human Rights (ECHR) guarantees our privacy rights. However, the EncroChat operation involved the development and distribution of malware disguised as an update, raising questions about the legality of the evidence obtained and the right to privacy. The lack of transparency in the methods used has caused uproar in legal circles, with debates about the right to a fair trial and the potential misuse of lawful hacking. EncroChat’s downfall may have been intended for legitimate use, but it highlights the need for vigilance in the face of technological advancements and the complex legal challenges that arise alongside them. As the dust settles, one thing remains clear: our privacy must not be sacrificed in the fight against crime.
Legal Limbo: Europol’s Hacking Techniques Challenged by European Parliament and CJEU.
In a report published by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE), concerns about the legality of Europol’s lawful hacking activities were raised. According to the report, there is a risk that Europol’s use of hacking techniques may infringe on fundamental rights. These concerns have been further amplified by the recent CJEU’s decision in the case of Privacy International. Accordingly, the CJEU ruled that the UK’s regime for public authorities’ retention and access to communications data, including LEAs, was inconsistent with EU law. The Court held that communications data’s retention on a general and indiscriminate basis, without any differentiation, limitation, or exception for the objective of fighting crime, was impermissible.
Public Values Privacy Over National Security, Cost Savings
Privacy vs. Public Safety: Decoding Lawful Hacking by Europol
Although there are concerns about the possible violation of privacy rights by lawful hacking, it should be noted that this right is not absolute as it can be restricted under certain circumstances. Simply put, your privacy is only respected if it does not hamper the protection of the fundamental rights of other individuals or, on a larger scale, the interests of public safety/national security. If your privacy affects the latter, it is justified for you to “compromise” your interests for that of public security. It is, therefore, a matter of balancing different (and perhaps opposing) fundamental rights and interests of different parties involved. Concerning the use of lawful hacking for investigation purposes, one of the most important tasks of LEAs like Europol is to balance individuals’ right to privacy and national security, public safety and/or other individuals’ fundamental rights. To do this, Europol must refer to the Charter of Fundamental Rights of the EU (The Charter) and the ECHR since these legal documents protect and balance fundamental rights within the EU.
For instance, Article 8(2) ECHR states that a public authority cannot restrict privacy right unless it adheres to the law and is necessary to protect national security/public safety, etc. This interpretation was confirmed by the Court in Malone v. UK, ruling that a method allowing communications interception to support investigations by LEAs was essential if it met conditions provided by Article 8(2). Three main conditions for a lawful interception by LEAs include:
- such interference/interception is provided by the law;
- it is necessary and proportionate, and
- it aims to pursue legitimate aims such as the protection of public safety or national security or the prevention of crime/disorder
Since lawful hacking is one example of lawful interception, it is also subjected to these requirements. As long as three conditions are met, Europol’s use of lawful hacking does not violate the right to privacy enshrined in the ECHR and the Charter. This was confirmed by Europol by its statement that when implementing lawful hacking only if it is proportionate based on the gravity of the crime and whether less intrusive means are unavailable. So, don’t panic whenever the LEAs are hacking your phone or computer because they will respect and protect your privacy while doing so.