Europe eyeing direct access to cloud services for police data requests

In the wake of a spate of terror attacks across Europe, regional interior ministers have been talking tough on tech. Encryption is one technology that’s been under fire from certain quarters.

There also has been renewed discussion about ways to speed up how law enforcement agencies request data from tech companies — so called e-evidence — even when the requesting force is sited in a different EU country to where the tech firm is based.

The original intent with e-evidence proposals was aimed at removing barriers to investigating cybercrime, although yesterday the EC’s Justice Commissioner Vera Jourová suggested such moves are important for counterterrorism efforts, too.

The core issue is the length of time it takes for law enforcement agencies to access data from cloud services located in another EU member state. The European Commission committed to addressing the e-evidence issue as far back as April 2015, but is just now reaching the proposing solutions stage of the process.

Yesterday, at a meeting in Brussels, EU justice ministers discussed commission proposals aimed at expediting data requests across the region, Reuters reports, agreeing that a legislative approach is needed (although not yet on what the exact approach will be).

Three options are being discussed, with Jourová telling the news agency that one is the possibility for police to copy data directly from the cloud — aka direct access. Albeit, she couched this as an “emergency possibility” — such as for situations where authorities do not know the location of the server hosting the data or if there is a risk of data being lost.

Another option would see companies obliged to turn over data if requested by law enforcement authorities in other member countries.

While the third, least intrusive option would involve allowing law enforcement authorities in one EU member state to ask an IT provider in another to turn over electronic evidence without having to ask that member state first.

According to an EC spokesperson, justice ministers were most focused on so-called “production orders” — i.e. measures to compel the cloud service provider to produce the requested data — at the meeting, although direct access to cloud services was also discussed.

The latter measure could be difficult to square with the region’s data protection and privacy rules, however — something Jourová flagged up herself after the meeting, telling Reuters that direct access would require “additional safeguards protecting the privacy of people,” such as requiring that law enforcement requests are necessary and proportionate.

“You simply cannot massively collect some digital data for some future use,” she added.

In December, Europe’s top court ruled that governments in the region cannot place “general and indiscriminate” data retention requirements on communications service providers — a ruling that stemmed from a legal challenge to earlier U.K. surveillance legislation (but which also casts doubt on the legality of the U.K.’s current investigatory powers regime). So the EC will clearly need to tread carefully if it’s intending to draft a direct access law.

A commission spokesperson told us that based on the discussion between Justice ministers it will prepare a legislative proposal by the end of this year or early 2018.

“The Commission is working on facilitating the work of law enforcement authorities in the digital age. Commissioner Jourová presented at the Justice Council three legislative options to improve access to e-evidence. She also presented some short term actions that can be taken immediately,” said the spokesman in a statement.

“Ministers all agreed that a legislative approach is needed, they mostly discussed the option of ‘production orders,’ but also measures regarding direct access. Based on their discussion, the Commission will prepare a legislative proposal by the end of this year or early 2018,” he added.

Earlier this year Jourová raised the issue of encryption as a barrier to law enforcement’s access to data — making public comments about the need for a “swift, reliable response” from encrypted apps when asked by authorities to hand over decrypted data.

Her comments back in March suggested the EC might be preparing some kind of decrypt legislation. Although when asked for clarity on its position at the time the commission told us that no decisions had been made about how to approach encryption, and discussions among justice ministers were not “very advanced.”

Asked for its current position on the technology, the EC spokesman said: “The Commission is working with experts and stakeholders at all levels to better define the challenges regarding encryption in criminal investigations and explore the possible options.”

He added that it “supports the importance of encryption for the protection of confidentiality of communication and as an essential tool for security and trust in the digital economy.”