EU prosecutors demand: Sanction data-saving messenger services

Contents

The controversial EU High Level Group on Data Access for Effective Law Enforcement (HLG) has published its final report. In line with its separate recommendation paper, it focuses on "lawful" access to data from messenger services such as WhatsApp, Signal, Telegram and Threema. According to the report, these "over-the-top" (OTT) providers, which offer users services for communicating directly over the internet, for example, "pose additional challenges for law enforcement authorities". At both national and EU level, they "often consider that they are not bound by the same obligations as traditional communication providers".

Difficult legal situation

OTT providers do fall within the scope of the European Electronic Communications Code, writes the HLG, also known as the "Going Dark" working group, in its summary. However, they are often based outside the EU and are therefore not subject to general sanctions. This leads to uncertainty regarding their data retention requirements. While traditional communication providers in most cases store some information such as IP addresses with port numbers for business purposes that allow users to be identified, this is not the case with OTT providers.

At the same time, according to the EU prosecutors, the increasing volume of requests received by providers is contributing to them being delayed or rejected. One reason for this is the operators' "specific business model decisions", such as deliberately acting in a data-saving manner. The sparse cooperation is also due to the limited number of mechanisms for cooperation between law enforcement authorities and private companies.

In addition, numerous new technology providers and digital players such as car manufacturers and AI systems with large language models generate and process metadata, the HLG has not failed to notice. This could also provide information about criminal activities. Despite their increasing importance, they are currently not bound by the obligation to store data.

Sanctions such as blocking called for

In practice, the common OTT services have not developed any technical mechanisms "to respond to requests from EU member state authorities for lawful interception", the experts criticize. In contrast, the UK has created a framework for the lawful interception of OTT communications with the Investigatory Powers Act, which also applies to services based there thanks to the adoption of the data access agreement with the USA. According to the relevant UK authorities, this makes "a significant difference to crime prevention and investigation".

The group is therefore pushing for Member States to be able to impose sanctions on uncooperative providers of electronic and other communications services. Instruments should include "restricting their ability to do business on the EU market" – i.e. blocking at network or app store level – as well as prison sentences for those responsible. The increased cooperation between law enforcement authorities and service providers that the HLG and EU countries have been calling for for some time will "improve the situation to a certain extent". However, this must also be enshrined in law.

"Lawful access by design"

The EU Commission set up the working group last year at the urging of the member states. The starting point was the ongoing Crypto Wars and the associated debate about the "going dark" scenario, according to which increasing end-to-end encryption threatens to make investigators blind and deaf. Scientists consider this to be a myth, but the police and judiciary want the "evil problem" of encryption that they have identified to be solved.

At a meeting with representatives of law enforcement and judicial authorities from the USA last year, they called for access to unencrypted communication data to be integrated directly into the technology using the principle of "lawful access by design". However, a major cyberattack on such surveillance interfaces of US providers shows the negative consequences this approach can have.

Real-time access to retained data

The aim of the final report is to "describe in detail the challenges identified by the experts and present options for continuing the work and operationalizing the recommendations". Accordingly, "harmonized and coherent laws on data retention are needed". The EU should also issue a recommendation on real-time access to connection and location information retained without cause by 2025. In general, "lawful interception is crucial for the effective investigation and prosecution of organized crime and terrorist groups".

"The standard encryption of data on devices is a key challenge", it continues. Investigators often have no choice "but to exploit vulnerabilities". However, such approaches must be reconciled with the goal of ensuring more secure hardware and software. Ultimately, the appeal remains to oblige service providers to hand over communication data in plain text. However, there is just as little encryption as there is a little pregnancy. In July, the EU Council pledged to seek "legally and technically secure solutions for access to encrypted electronic communications in individual cases", subject to a court order for the prosecution of serious crimes.

(mho)