MECHELEN, Belgium — Investigators like Philippe Van Linthout spent much of the past decade pushing big tech companies like Facebook and Google to hand over data for their probes — and often failing.
Now, Europe’s cops are about to get some new firepower in their global fight for “e-evidence.” After years of complaints from EU law enforcement about stone-walling from tech firms, the European Commission is about to unveil legislation that would grant investigators considerable new powers.
The draft, which is expected to be published by end-March or early April, would force IT providers to give data to law enforcement if they can demonstrate the data is linked to a crime. Privacy advocates who pushed for sweeping new rules on data protection, known as the General Data Protection Regulation, are not pleased.
But for Van Linthout, a Belgian investigative judge who handles serious crimes in this town about 30 minutes drive outside Brussels, the boost from the Commission is long overdue. Speaking at his office, he pointed to piles of unsolved cases on his desk, which he said all have one thing in common: They won’t be solved unless firms like Facebook, Google and Apple start coughing up more data-based evidence.
“Pick a file, any file,” Van Linthout said, referring to open cases that range from terrorism to murder and organized drug smuggling. “Nine out of 10 cases can’t be solved without access to data.”
His plea echoes frustration among EU investigators who find themselves at odds with Big Tech.
Van Linthout wants information about who is in contact with whom, not what’s inside the exchange. Too often, it’s denied.
Law enforcement officials point out that use of encrypted messaging is now standard among terrorists and criminal gangs. Thanks to competition among big and small tech companies, they can choose among half a dozen ultra-secure messaging systems, from Telegram to Facebook-owned WhatsApp.
Yet when Van Linthout asks those firms for information about suspects, he said the response from the companies is all too often “sorry, can’t help.” In the case of smaller firms, there is often no response at all.
Unless an investigator could prove imminent danger to human life — not easy in a murder case with a cooling corpse — tech firms are reluctant to provide clues that undermine their encryption sales pitch. “You’re left with the corpse, the suspect and no information,” he said.
Help from Jourová
Facebook representatives, speaking on condition of anonymity to discuss confidential interactions with law enforcement, said the obstacle to accessing messages on encrypted services was first and foremost technical. It was not possible to access end-to-end encrypted messages on WhatsApp without breaking encryption for all users, they argued late last year, adding that investigators were aware of such constraints.
Facebook regularly assists EU law enforcement, without specifying any cases, one representative added. Big Tech also faces limits in U.S. law that require it to demonstrate immediate and urgent danger before sending bits of data to European legislators.
For Van Linthout, however, cooperation still falls short. What he wants is access to metadata — information about who is in contact with whom, not what’s inside the exchange. Too often, it’s denied.
Data retention is a common gripe among investigators | Andrew Caballero-Reynolds/AFP via Getty Images
The Commission’s proposal is set to give Van Linthout new leverage.
Pressured in the wake of terrorist bombings in Paris and Brussels that involved the use of encrypted messaging, Brussels is about to create a “production order” that investigators could use to force tech firms to fork over data. The proposal is expected to be unveiled at the end of this month or mid-April, according to two people close to the file.
EU privacy rules have proved just as restrictive for Van Linthout as the resistance of Big Tech firms.
“It is clear the Commission needs to act here and come up with pan-European rules,” Justice Commissioner Věra Jourová said at the end of last year, adding that the proposal called for giving law enforcement “direct access” to the information they need.
A senior Commission official who asked not to be named said the proposal is “probably the boldest thing we can do on criminal law.”
Even the tech companies may find the proposal useful, as it aims to clarify their obligations before the law. Apple, Google, Facebook and Microsoft have all held meetings with Jourová in the past few months, with Google dispatching its general counsel, Kent Walker, to Brussels to lobby her on the matter.
Europe’s data schizophrenia
There’s another obstacle standing in Van Linthout’s way: Europe’s schizophrenic attitude toward data.
On one hand, lawmakers want to give police a free hand to fight crime. On the other, citizens have pushed back against governments and big companies snooping through their personal data unrestricted, and soon the strictest privacy regulations in the world, the General Data Protection Regulation, will be enforced in Europe.
Věra Jourová, the European commissioner for justice, consumers and gender equality | Emmanuel Dunand/AFP via Getty Images
EU privacy rules have proved just as restrictive for Van Linthout as the resistance of Big Tech firms. He cites one example from 2015, when investigators were chasing a terrorist plotter in Brussels who was planning an attack on New Year’s Eve and left a trail of evidence on several web pages.
The problem was that some of it was too old. “We had him. His internet protocol address led to Belgium, but the data was older than two years, so data retention [meant] the data was thrown away,” he said, adding that the suspect could not be caught as a result.
“They are making big profits here, they are building their client base here, but they also have to be responsible” — Senior Commission official
Data retention is a common gripe among investigators, after two major rulings by the European Court of Justice that said countries cannot force firms to store their data for law enforcement purposes without setting strict limits and safeguards.
The Commission’s proposal is unlikely to clear up confusion over data retention, as the rulings are part of a broader push to strengthen privacy laws following Edward Snowden’s 2013 revelations about the extent of surveillance by the U.S. National Security Agency.
Which is why investigators like Van Linthout feel hostage to geopolitical considerations.
Europe and the U.S. now find themselves engaged in a race to draw the lines of what law applies on the web. Microsoft is fighting a U.S. warrant in a key court case that has gone all the way to the U.S. Supreme Court.
The U.S. wants Microsoft to hand over data stored in Ireland. The Commission says Microsoft would risk violating the EU’s data protection laws if it complies.
Both sides would like the power to ask for data to solve crimes and stop terrorist networks. But current processes to get data for law enforcement purposes, through Mutual Legal Assistance Treaties, are too slow, lawmakers agree. Google estimates show it takes an average of 10 months of waiting time for the data to be processed legally.
The Commission’s proposal would suggest ways for prosecutors to ask for data stored outside of their jurisdiction, and even outside of Europe, too.
“We need to get the balance right … The tricky thing is that, if we’d do it only for the EU territory, we wouldn’t catch much,” the senior official said. “We’d address IT providers who are offering services here … They are making big profits here, they are building their client base here, but they also have to be responsible.”