Criminal investigations increasingly rely on so-called “electronic evidence”, i.e. the gamut of user data collected by online services. Are the categories used in legislation still the right ones to ensure proper human rights protections? Three categories, corresponding to different levels of protection, and largely descending from historic practices in relation to telecom operators, are routinely used,: Subscriber data (towards identifying users as suspects or victims), Content data (the substance of communication between users), and Traffic and/or transactional data (consisting of timestamps, log of ip addresses, source and destination of communications, etc.). As digital services become ubiquitous, the diversity of user data collected by service providers has grown exponentially. Thus many more types of user data can be requested or obtained.
This gives rise to two important questions: Are the existing protections attached to the three categories sufficient with respect to new types of data (eg: a fitbit device collecting users’ heart-rate and sleep patterns)? More generally, should any type of user data collected by a Service Provider be requestable as part of criminal investigations and construed as electronic evidence? (Eg: behavioural and preference user profiles developed by social media platforms to feed into predictive modelling algorithms).
This session seeks to raise awareness on the limitations of the current system, built upon the vestiges of a bygone telco era. It will articulate the need for a purpose-oriented and rights-respecting framework through the framing of different perspectives by interventions from Civil Society, Government and Industry actors.
Host institution: Electronic Frontier Foundation (EFF) | Center for Democracy & Technology (CDT) | Internet & Jurisdiction Policy Network | Cross-Border Data Forum