Study on legal issues relevant to combating criminal activities perpetrated through electronic communications

Final Report

1. Scope of Study

The objective of this study was to examine certain issues raised by the need to combat criminal activities perpetrated over communication networks, such as the Internet. The perspective guiding the study was a recognition that law enforcement agencies faced significant new challenges when trying to carry out an investigation in such networked environments. The extent to which such problems could be addressed through the granting of new powers of investigation was to be considered.

Any criminal investigation interferes with the rights of others, whether the person is the subject of the investigation or a related third party. In a democratic society any such interference must be justifiable and proportionate to the needs of that society to be protected from such crimes. The study attempts to gauge the emerging needs of law enforcement agencies balanced against the rights of individuals, as recognised in the European Convention on Human Rights; as well as the interests of third party communications service providers, as the intermediaries which build and operate the networks over which criminal activities are being carried out.

The purpose of any criminal investigation is to obtain sufficient evidence of the illegal activity to enable the perpetrator to be identified and subjected to criminal proceedings. The evidence being sought will usually extend to the activities of the perpetrator in carrying out his crime (eg. downloading images), the actual offence itself (eg. the virus) or the effects of the criminal activity (eg. the damaged system). In a networked environment, such evidence may be obtained from items in the possession of the accused; the victim(s) or a third party. A communication service provider, as the third party relevant to this study, will be processing evidentially relevant data either in the course of providing the service itself (eg. transmission) or on its own behalf (eg. billing data).

The conclusions and recommendations of this study can be broadly sub-divided in two categories. First, general issues of principle are addressed in terms of the appropriate framework to deal with certain aspects of criminal investigations in a networked environment: access to stored data, access to protected data and distinctions between communications content and communication attributes. These issues are primarily concerned with achieving a balance between the interests of law enforcement agencies and those subject to the investigation, primarily the rights of individuals. Second, the potential impact that the legal regimes addressing these three areas of study may have on the providers of the communication services and networks that comprise the networked environment.

The existence of appropriate substantive offences within Member States, addressing both traditional criminal activities (eg. fraud and pornography) and novel threats (eg. ‘hacking’ and viruses), was beyond the scope of this study.

The transnational nature of many communications networks raises complex issues relating to the exercise of law enforcement powers across multiple sovereign jurisdictions. The establishment of appropriate procedures for co-operation between states has been the subject of recent agreement at a European Union level as well as within other international forum. The study has therefore limited its consideration of those issues subject to such agreements.

  1. Study Methodology

One of the key elements of this research was an examination of the attitude and perceptions of Communication Service Providers (CSPs) with respect to their role in the investigation of computer crime. The study has utilised two main sources of information in this regard: publicly available materials and face-to-face interviews. The former was greatly assisted by the fact that, during the period of the study, the UK was in the process of adopting new legislation in the area: The Regulation on Investigatory Powers Act 2000. As a consequence, a considerable amount of public debate took place, and much literature was generated, concerning the potential impact that such legislation would have on CSPs and their response to the issues raised.

A survey was prepared and distributed to CSPs (see Appendix I.3). However, the response was very disappointing both in terms of the numbers of replies and the quality of information garnered from the submissions. The study therefore engaged in a series of face-to-face interviews with a representative sample of CSPs operating within Europe. Whilst such interviews do not generate any quantitative data, due to the sample size; they do provide an extremely valuable qualitative insight into the issues faced by CSPs in respect of the area of study. It was also possible to validate the responses of the interviewees against the publicly available material referred to above.

The CSPs who participated in the interview process (see Appendix I.1 - confidential to the contractors and the European Commission) were approached on the basis that they represent some of the main categories of player within the burgeoning market for communication services:

The responses of the interviewees have been consolidated into a report appended to the Final Report: Appendix I.2.

The study also distributed a survey to law enforcement agencies to contacts both within Europe and other jurisdictions (see Appendix II.3). Whilst the numbers of responses were greater than those received from CSPs, the quality of information supplied was again somewhat disappointing. The feedback from the survey was therefore supplemented by face-to-face interviews with officers from several of the law enforcement agencies surveyed (see Appendix II.1). The results of the surveys and interviews have been consolidated into a report appended to the Final Report: Appendix II.2.

During the course of the study, data was obtained about the relevant legislative regimes in a range of jurisdictions. This information is presented in Appendix IV in both country-by-country and in a tabulated comparative form.

The opinions expressed in this study are those of the authors and do not necessarily reflect the views of the European Commission.

ECSC-EC-EAEC, Brussels, Luxembourg (2000).

3. Access to Stored Data

Law enforcement agencies generally have sufficient powers to search premises and seize relevant materials, subject to restrictions on obtaining certain types of data, such as legally privileged material. An issue in the seizing of computer-derived evidence is the volume of potentially relevant material, which makes the task of sorting protected material from non-protected material substantially more complex. The issue of obtaining access to protected material is addressed in Section 4 below.

This study has identified two key issues in relation to law enforcement access to stored information:

From a law enforcement perspective, the intangible nature of data generated by the use of communications technologies creates obvious evidential problems during an investigation. As a consequence, there have been some calls for a legal obligation to be imposed upon CSPs to retain certain types of data for a minimum period of time for the purpose of potential subsequent criminal investigations. Such data retention obligations could be in respect of data recorded by CSPs in the normal course of business (eg. billing data), or could encompass categories of data specifically identified as being of assistance in any subsequent criminal investigation (eg. Internet log-on session data).

European data protection law requires that data should not be held in an identifiable manner for any longer than is necessary for "the purposes for which the data were collected or for which they are further processed" . Data should also be "collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes". However, with respect to ‘traffic and billing data’ (see further Section 5 below), Directive 97/66/EC expressly specifies the purposes for which such data may be processed:

"..handling billing or traffic management, customer enquiries, fraud detection and marketing the provider’s own telecommunications services and it must be restricted to what is necessary for the purposes of such activities." (art. 6(4))

However, as a matter of general Community law, the data protection directives do not extend to "activities of the State in areas of criminal law", which would enable a Member State to legislate specifically to allow the processing of such data for the purposes of criminal investigation. In addition, Directive 97/66/EC expressly provides that a Member State may derogate from this provision, where is it a necessary measure for the investigation of "criminal offences or of unauthorised use of the telecommunications system" (art. 14(1)). A specific legal obligation upon CSPs to retain certain data would not therefore seem in breach existing European data protection law.

In Belgium, for example, recent draft legislation, adopted by the Chamber of Representatives, requires that CSPs retain "les données d’appel de moyens de télécommunications et les données d’identification d’utilisateurs de services de télécommunications" for a period of at least 12 months. The Council of Europe draft Cybercrime Convention does not include such a specific retention obligation, but does provide that measures be adopted which

"enable its competent authorities to order or otherwise obtain, for the purpose of criminal investigations or proceedings, the expeditious preservation of data that is stored by means of a computer system, at least where there are grounds to believe that the data is subject to a short period of retention or it otherwise particularly vulnerable to loss or modification."

This wording could be interpreted either narrowly, only granting a power in respect of specific identifiable data which may be lost; or broadly, enabling a system to be established for certain types of vulnerable data, such as traffic data, similar to the Belgium draft law.

In the absence of specific legal authority, to what extent would voluntary retention of data by CSPs for investigative purposes constitute a breach of European data protection principles? In respect of ‘traffic and billing data’, the only relevant grounds for retention would seem to be ‘fraud detection’, which would seem fairly limited in terms of the potential range of criminal activities. For other types of data, such as Internet session traffic, generated in the normal course of a CSPs business, any subsequent retention for investigatory purposes would usually be a secondary purpose, distinct from the purposes for which such data was collected. Directive 95/46/EC does envisage the possibility that further processing may occur for purposes other than those "specified, explicit and legitimate", provided that such other purposes are not "incompatible". What constitutes an incompatible purpose? A literal interpretation would seem to suggest only that the secondary purpose should not have negative consequence vis-à-vis the primary purpose(s). If such an interpretation were accepted, it would suggest that as a general principle processing (ie. data retention) for the purpose of possible criminal investigation should not be considered to constitute a breach of Article 6(1)(b). Such a conclusion would not seem applicable, however, to the retention of data specifically designed to assist an investigation (eg. Internet log-on session data), since the primary purpose of the processing would then be for investigatory purposes

The Article 29 Committee, established under Directive 95/4/EC and comprising the data protection supervisory authorities in the Member States, has raised specific objection to the retention of traffic data for law enforcement purposes on the grounds that it creates a threat to an individual’s privacy. In terms of jurisprudence under the European Convention on Human Rights, it would seem arguable that broad retention obligations for law enforcement purposes are neither a necessary or proportionate measure, which fail to ensure respect for a person’s private life.

For the CSP who is required to store the information, the concerns are primarily those of feasibility and cost. In terms of feasibility, significant concerns have been raised about the possible imposition of data retention requirements in respect of data not currently recorded in the normal course of the CSPs business: E.g

The volume of data involved is also likely to be considerable and expanding at an exponential rate. The cost of storage, in a secure and accessible manner, is likewise likely to be a considerable burden. Finally, it should also be noted that the systematic storage of communications content by a CSP has potential liability implications, as recognised in the recently adopted Directive on electronic commerce.

Recommendations:

Access to stored data that is made available to the public through Internet-based services, such as the Web or FTP, should be accessible to investigative authorities without the need to go through formal inter-state procedures. This has been explicitly recognised in the draft Cybercrime Convention:

"A Party may, without obtaining the authorisation of another Party:

a) access publicly available (open source) stored computer data, regardless of where the data is located geographically; or

b) access or receive, through a computer system in its territory, stored computer data located in another Party, if the Party obtains the lawful and voluntary consent of the person who has the lawful authority to disclose the data to the Party through that computer system."

However, those engaged in certain types of criminal activities, such as distributing pirated software or viruses via an electronic bulletin board, may simply impose restrictive access procedures on those visiting the site, preventing general public access. The ability of users of communication services to hamper the investigation of criminal activities across communication networks is reviewed in Appendix III. In the UK, for example, specific statutory amendment was required to address this issue and enable investigations of bulletin boards to be carried out without committing an offence under the Computer Misuse Act 1990:

"…and nothing designed to indicate a withholding of consent to access to any program or data from persons as enforcement officers shall have effect to make access unauthorised…"

Such a right is also recognised in the Council of Europe draft Convention:

"Each Party shall take such legislative and other measures as may be necessary to empower its competent authorities to search or similarly access:

(a) a computer system or part of it and computer data stored therein; or

(b) a computer-data storage medium in which computer data may be stored

in its territory for the purposes of criminal investigations or proceedings" (art. 14(1))

The scope of such a power, however, should be more narrowly drafted so as not to legitimise the use of ‘hacking’ and related techniques by law enforcement agencies to circumvent data security measures utilised on remote systems. Such proactive activities by investigators, including the deliberate alteration or modification of information held on a remote system, should be subject to specific procedural controls, akin to interception regimes, and limited, for example, to crimes of a particular level of seriousness. Any such provision is unlikely to be acceptable in the context of a transnational investigation, as it would raise similar issues of sovereignty to those concerning the seizure of materials.

Recommendation:

4. Access to Protected Data

As discussed above, evidentially-relevant data may be obtained through intercepting a communication session or from a party who has stored the data. However, the data once obtained may be in a form that is designed to protect it from being disclosed to third parties; for example, data can be encrypted in order to ensure its confidentiality. Users of communications networks are increasingly aware of the need to implement such data security techniques, to meet both their own operational and commercial needs as well as statutory obligations designed to protect the rights of third parties: eg.

"Member States shall provide that the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing"

The nature of data security technologies means that investigating authorities have essentially three options in respect of gaining access to the protected data:

The first option represents standard criminal procedure among the Member States. Under the second option, proposals have been made in some jurisdictions for specific requirements to deliver up ‘keys’ to render data intelligible:

"‘key’ in relation to any electronic data, means any key, code, password, algorithm or other data the use of which (with or without other keys)-

    1. allows access to the electronic data, or
    2. facilitates the putting of the data into an intelligible form".

Such an obligation differs from the approach taken in traditional investigations. Criminal procedures do not, generally, contain express requirements to provide, for example, the combination to open a metal safe. However, modern data security techniques have been seen by some policy-makers as requiring a specific legislative response. In contrast, some jurisdictions have legislated expressly against such a requirement. Such a divergence of approach between Member States may have consequences for the development of the Single Market.

In addition, a number of distinctions need to be recognised in relation to the second option. First, the data security technique being delivered up may either be specific to an individual or it may be a tool that protects the data of a community of users, such as a company’s employee email over an Intranet. In the latter scenario, the obligation to disclosure gives rise to potential vulnerabilities both in terms of the individual rights of others, ie. other protected users, and the interests of legal entities, ie. the corporation. Under European Convention jurisprudence, the potential for collateral infringements of third party privacy rights must be necessary and proportionate to the object of the interference. The potential exposure of the corporate entity to a breach of its security may have significant consequences for its commercial activities, particularly in relation to adverse publicity and perceptions of trust. Such concerns have historically meant substantial under-reporting of computer crimes, such as hacking and fraud.

Second, the person subject to the requirement may be the person under investigation or a related third party, such as a company or communications service provider. Again, where the requirement is imposed on a third party, adequate consideration needs to be given to the costs, in the widest sense, being imposed on that third party. For example, in terms of CSPs, a requirement to disclose keys protecting the data of its customers could restrict the growth of the market for services such as ‘key escrow’, where a third party maintains copies of cryptographic keys as a safeguard against loss or destruction. The needs of law enforcement could, therefore, be facilitating against the use of data security services that are seen as being critically important to the development of an ‘Information Society’.

Third, the security technique may be operational for a single communication session (eg. a ‘nonce’ cryptographic key) or for a particular user or application over a period of time. In the latter case, where the disclosure is made by a third party without the knowledge of the investigated subject, investigators will be able to access not only prior data but also any future data that may be communicated. In terms of interference with an individual’s private life, the threat posed by on-going access requires that investigative authorities be subject to appropriate additional procedural controls.

Another concern regarding the second option is that certain data security techniques may be utilised for the provision of different security functions. For example, a cryptographic key may be used for digitally signing data, achieving authentication and integrity functions, as well as for confidentiality purposes. In such circumstances, the obligation to deliver-up the tool should only be applicable where the tool had been used for the latter purpose.

The viability of the third option, converting the data into an intelligible form through utilising available techniques, would seem to depend on a number of factors, including the strength of the technology used by the party applying the security technique; the functionality of future technology, and the period within which the data realistically needs to be converted. In the longer term, it will depend on future developments in technology since techniques may be developed which are essentially incapable of being overcome. However, some governments have recognised the need to establish some such ‘in-house’ technical capability to assist law enforcement investigations.

Where a legal obligation is imposed upon a person in relation to an investigation, a failure to comply will inevitably result in sanctions. Such sanctions may comprise either the commission of a separate offence; an offence related to the exercise of the enforcement powers, or some form of adverse or incriminating inference raised in the course of any subsequent related criminal proceedings, eg. possession of obscene material. The latter approach may be statutorily based, as in the United Kingdom, or may comprise a factor in civil law jurisdictions where evidence is freely assessed with regard to all relevant circumstances, including the behaviour of the accused.

Where an offence is committed through non-compliance with a lawful requirement, any penalty will need to act as an appropriate deterrent against such a refusal to comply. However, in certain circumstances, it is likely that a person may choose not to comply with the request to disclose, thereby accepting the penalty, rather than comply and potentially expose themselves to prosecution for a more serious offence with greater penalties. Whilst such a scenario may be unfortunate, it would seem be a necessary comprise where the rights of the individual are balanced against the need to protect society.

The raising of an adverse inference against a person in criminal proceedings for a failure to supply certain information (under the first two options above) could raise issues concerning the right to a fair trial, under Article 6 of the European Convention on Human Rights. In particular, it may be viewed as an infringement of the individual’s right to silence, right not to self-incriminate and the principle that the prosecution has the burden of proving a case. Convention jurisprudence indicates that whilst a conviction may not be based solely or mainly on a refusal to supply such information, an adverse inference may in specified circumstances be drawn from such a refusal when assessing the evidence adduced by the prosecution.

Recommendations:

5. Content and Communications Data

Historically, national legal systems have distinguished between the interception of the content of a communications and the data related to the communication session itself, ie. its attributes, such as telephone numbers and call duration. Such a distinction would seem be based on a popular perception that access to the content of a communication represents a greater threat to personal privacy than access to the related communications data. Such a sentiment can be found in the European Court of Human Rights:

"By its very nature, metering is therefore to be distinguished from interception of communications, which is undesirable and illegitimate in a democratic society unless justified."

However, developments in telecommunications would seem to have led to a qualitative and quantitative shift in the nature of data being generated through the use of communications technology. For example, mobile radiotelephony generates data relating to the geographical position of the user, which is enabling the development of a range of location services.

To date, the European Court of Human Rights has not been required to address the distinction between the obtaining of communications content and its associated attributes in terms of the application of Article 8. It can be expected, however, that Member States will be obliged to meet similar objective criteria (‘in accordance with the law’) in respect of access to communications data as exist for communications content.

Whilst EU data protection law recognises no distinction in the treatment given to communications data and content, the particular privacy threats raised by communications data is specifically addressed in Directive 97/66/EC on data protection in the telecommunications sector. The Directive distinguishes between ‘traffic data’ and ‘billing data’. The former comprises that data which "is processed to establish calls and stored" by the CSPs involved. The term ‘call’ has been seen as being restricted to voice telephony, the Commission has therefore proposed that the scope of the provision be broadened: "processed for the purpose of the transmission of a communication". ‘Billing data’ comprises both ‘traffic data’ and data relating to the subscriber to whom the CSP supplies the service.

It would seem to be arguable that the threat to individual privacy from obtaining communication attributes data as opposed to communications content is of similar importance in modern network environments. However, although there would appear to be no current requirement in Member States laws to treat access to such categories of data under a similar legal regime, the Commission has recently proposed such equality of treatment:

"Member States shall ensure the confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications services, through national legislation…"

In contrast, whilst ECHR jurisprudence addresses the need to have a clear and accessible legal framework for the protection of privacy, it has not considered the issue in a comparative sense: whether particular threats to privacy must be treated in a similar way by national legislation.

The main issue raised by differential legal treatment is that in modern communications networks the distinction between communication attributes and content is becoming increasingly blurred. A web-based Uniform Resource Locator (URL), for example, contains not only details of the IP address of the web site being accessed, akin to a traditional telephone number; but will also often contain further information in relation to the content of the requested communication, eg. a particular item held on the site or a search string will contain the embedded parameters of the search. The introduction of touch-tone technology has also enabled an individual to key in his credit card details when using a telephone banking service; although the keyed in data may redirect a call to another switch, a technique often used by ‘hackers’ to obtain fraudulent access to communications services. Such so-called ‘post-cut-through’ data render any legal categorisation based on a technical distinction between signalling and content channels unworkable.

Under US law, a distinction is made between communications content and ‘call-identifying information’, which is defined as follows:

"…dialing or signaling information that identifies the origin, direction, destination, or termination of each communication generated or received by a subscriber by means of any equipment, facility, or service of a telecommunications carrier." [47 USCA § 1001(2)]

From a law enforcement perspective, the communications attribute of primary interest in an investigation is such identifying information. Whilst this would seem a relatively clear statutory definition, a decision by the Federal Communications Commission to encompass ‘post-cut-through dialed digit extraction’ within this definition was recently overturned in the Appeals Court partly on the basis that "there is no way to distinguish between digits dialed to route calls and those dialed to communicate information".

In the UK, the distinction is made between the communication and ‘traffic data’:

"(a) any data identifying, or purporting to identify, any person, apparatus or location to or from which the communication is or may be transmitted,

(b) any data identifying or selecting, or purporting to identify or select, apparatus through which, or by means of which, the communication is or may be transmitted,

(c) any data comprising signals for the actuation of apparatus used for the purposes of a telecommunication system for effecting (in whole or in part) the transmission of any communication, and

(d) any data identifying the data or other data as data comprised in or attached to a particular communication,

but that expression includes data identifying a computer file or computer program access to which is obtained, or which is run, by means of the communication to the extent only that the file or program is identified by reference to the apparatus in which it is stored."

Sub-section (c) is designed to cover situations of ‘dial-through fraud’, where calls are re-routed over circuit-switched networks to avoid service charges. However, it would seem to be so broadly defined that it potentially covers any signals sent using touch-tone technology, such as bank account details which should more appropriately be treated as content. The final phrase of the definition is designed to limit the concept of ‘traffic data’ in an Internet-context to the apparatus identified by the IP address and not any files or programs stored on the machine.

Under UK law, ‘traffic data’ is a sub-set of a broader categorisation of data, ‘communications data’, which also includes data relating to usage of the communications service, eg. call duration, and other information concerning the person to whom the CSP provides the service, eg. subscriber address details. Access to such data is subject to a different regime than that applicable to communications content.

The Council of Europe draft Cybercrime Convention also uses the term ‘traffic data’:

"traffic data" means any computer data relating to a communication by means of a computer system, generated by the computer system that formed part in the chain of communication, indicating its origin, destination, path or route, time, date, size, duration or type of underlying [network] service. (art. 1(d))

Finally, the European Commission has also recently proposed a regulatory definition of ‘traffic data’ for data protection purposes:

"‘traffic data’ shall mean any data processed in the course of or for the purpose of the transmission of a communication over an electronic communications network"

Such a broad definition does not enable a clear distinction to be drawn between the content of a communication and its related attributes; although such a distinction is not necessarily problematic from a privacy protection perspective. However, the existence of different regulatory definitions of ‘traffic data’ within the European Union could give rise differential treatment in the Member States, which could create legal uncertainties for all concerned.

In the URL example given above, how would such ‘call-identifying information’ or ‘traffic data’ be technically separated from associated content, such as file details? Reliance on the agencies themselves to distinguish such data would seem unacceptable, which requires us to consider the role of the CSP over whose network the data is being sent during the interception process. To safeguard the rights and freedoms of the individual, the relevant CSP would need to be able to identify the relevant data and then automatically separate ‘call-identifying’ information for forwarding to the appropriate requesting authority. Under US law, such an obligation in enshrined in the law:

Carriers are required to "facilitat[e] authorized communications interceptions and
access to call-identifying information…in a manner that protects…the privacy and security of communications and call-identifying information not authorized to be intercepted;" [§ 1002(a)(4)(a)]

However, the technical feasibility of such approach requires further examination, as well as the costs and how they are distributed.

If the access to communication data is subject to less onerous legal protections than that required for content, the potential consequences of the blurring between communication attributes and content in a modern communications environment are numerous:

Recommendations:

6. Communication Service Providers

One dominant feature of a modern communications environment is the proliferation of communications service providers and networks utilising alternative access technologies, both wireline and wireless. As a consequence, it can be assumed that most communications will be transmitted across a number of different networks owned and, or, operated by different legal entities. As such, relevant evidence may be obtained at various points within the network.

In a traditional voice telephony environment, the general principle was that an interception would be carried out as physically close to the suspect as possible, which usually meant at a local loop or exchange level. In the current environment, the principle is no longer necessarily applicable as the proliferation of ‘intermediary service providers’ within the network hierarchy structure presents a range of alternative points of interception, particularly in respect of certain types of communications (eg. remote mailbox and cached web pages).

Historically, in order to enable law enforcement agencies to intercept communications, communication service providers have had legal obligations to maintain the technical capability to intercept communications. An issue presented by the current communications environment is whether such obligations should be extended to the new types of communication service providers that have entered the marketplace and the scope of any such obligation. A number of Member States have already addressed this issue (e.g. Germany: Telecommunications Law, para. 88; UK: Regulation of Investigatory Powers Act 2000, s. 12; Netherlands: Telecommunications Act 1998, s. 13), but significant national differences exist across a number of issues: eg.

Law enforcement agencies are inevitably keen to have access to the widest range of possible sources of relevant evidential data.

The survey of CSPs has identified two key concerns arising from an obligation to ensure an ‘intercept capability’. First, considerable reservations have been expressed about the feasibility of achieving a stable ‘intercept capability’ solution in a rapidly evolving communications environment. ‘Intermediary service providers’ in particular are concerned that their freedom to design, build and operate innovative data communications networks and services, in accordance with the dictates of newly available technologies and commercial imperatives, would be significantly restrained by the need to meet an on-going obligation to ensure an ‘intercept capability’. In addition, at the level of the traditional circuit-switched local access network, significant change will be experienced as a result of the regulatory drive within Europe to unbundle the local loop, to encourage the roll-out of broadband communication facilities. It is generally accepted that a single technological solution to the requirement for ‘intercept capability’ is not going to be available, which will have associated cost implications for CSPs and potentially procedural implications for law enforcement agencies.

Second, the costs arising from compliance with an obligation to provide ‘intercept capability’ is an important factor. Such costs can be distinguished into fixed costs, in relation to building the ‘capability’ into the network (eg. switches with intercept functionality), and variable costs, arising from the operational aspects of carrying out an interception (eg. personnel). It is beyond the remit of this study to determine the most appropriate division of costs between Member State governments, as holders of public funds, and the providers of communication networks and services. In many jurisdictions, fixed costs are borne by the CSP, whilst variable costs are covered by the relevant public authority. Both CSP and LEA respondents to the study noted that shifting some of the financial cost arising from an investigation to the investigating agency acted as a effective restraint on the use of such techniques.

Significant concerns have been expressed, however, particularly by those representatives of newly emerged ‘intermediary service providers’, that the costs involved in implementing ‘intercept capability’ in modern communication networks are likely to be substantial. Such concerns have been reflected in some jurisdictions through express statutory reference to the parties required to bear the costs: E.g.

Were the costs associated with the provision of ‘intercept capability’ to lie exclusively with the communication service providers, then this may impact on the commercial viability of certain SMEs entering the market for the provision of communication services and networks. The imposition of onerous ‘intercept’ obligations upon CSPs within Europe, in comparison with other jurisdictions, may also have an adverse effect on where CSPs choose to establish their business in the medium to long term.

7. FINAL CONCLUSIONS AND RECOMMENDATIONS

Section 7:

Stored Data:

Access to Protected Data

Content and Communications Data

Communications Service Providers