Category Archives: Legal Aspects

Legislation of criminal jurisdiction over online texts should be changed

The acquittal of writer Kaur Kender, accused of producing child pornography, because he wrote his text abroad that is therefore not subject to Estonian legislation shows that laws need to be taken into conformity with the digital age,” finds Jaan Ginter, professor of criminology at the University of Tartu.

Tallinn Circuit Court acquitted Kender a week ago because he was in Michigan, USA when his infamous short story “UNTITLED 12” was published, while the server of publisher nihilist.fm is located in the United Kingdom. Kender was beyond the reach of Estonian laws.

When a digital-age person with no knowledge of the law reads the court’s decision, they will find it very surprising Kaur Kender’s case does not fall in the jurisdiction of Estonian courts at all. Kender’s text was aimed at the Estonian market. [..] The location of a digital services provider – the location of computers used to offer the service – should not matter these days. [..] No one, including myself, has given comprehensive thought to what the criminal jurisdiction of online texts could be; however, it is clear laws are evolving, and that the location of the server cannot be the decisive factor.

Links:
https://news.postimees.ee/4281829/kender-s-case-points-to-necessity-of-changes

PhD thesis: “Remote search and seizure of extraterritorial data”

Anna-Maria Osula PhD thesis: “Remote search and seizure of extraterritorial data”
Defense date: 17.04.2017 – 12:00, Näituse 20, room K-03

Supervisor:
Professor Jaan Ginter

Opponent:
Dr Christoffer Wong (University of Lund)

Summary:
Due to increasing digitalization, criminal procedure has to take into account the characteristics of the Internet, related technologies and digitally stored or electronically transmitted data. The objective of the dissertation is to examine, building on the example of the Council of Europe Convention on Cybercrime (CoCC), the regulation of remote search and seizure in circumstances where the targeted evidence is extraterritorially located or where it is not possible to identify the exact location of the data (‘loss of location’). Remote search and seizure entails searches that are either carried out by extending the initial search and seizure to devices accessible from the originally searched device or by remotely conducting search and seizure from other devices such as the law enforcement’s own. In addition to discussing the traditional mutual legal assistance procedures and alternative measures for accessing extraterritorial data, the dissertation scrutinizes whether remote search and seizure of extraterritorial data entails an extraterritorial application of jurisdiction to enforce and whether it can thereby be viewed as a breach of territorial sovereignty of the other state.

Links:
http://www.ut.ee/en/events/anna-maria-osula-remote-search-and-seizure-extraterritorial-data
http://dspace.ut.ee/handle/10062/55683

Estonian delegation answers to EU encryption questionnaire

Council of the European Union has prepared a questionnaire to map the situation and identify the obstacles faced by law enforcement authorities when gathering or securing encrypted e-evidence for the purposes of criminal proceedings. These are the answers from the Estonian delegation obtained by a public information request:

1. How often do you encounter encryption in your operational activities and while gathering
electronic evidence/evidence in cyber space in the course of criminal procedures?
o often (in many cases)

2. What are the main types of encryption mostly encountered during criminal investigations
in cyberspace?
o HTTPS, TOR, P2P / I2P, e-communications (through applications such as Skype, WhatsApp, Facebook, etc.)
o offline encryption – encrypted digital devices (mobile phone / tablet /computer), encrypting applications (TrueCrypt / VeraCrypt / DiskCryptor, etc)

3. Under your national law, is there an obligation for the suspects or accused, or persons who
are in possession of a device/e-data relevant for the criminal proceedings, or any other person to provide law enforcement authorities with encryption keys/passwords?
o No. Pursuant to Article 215 of the Criminal Procedure Code, investigative authorities and prosecutor’s offices can order the production of data from any person. Suspect and accused person do not have to disclose encyption keys/passwords.

5. Under your national law, is it possible to intercept/monitor encrypted data flow to obtain
decrypted data for the purposes of criminal proceedings? If so, is a judicial order (from a
prosecutor or a judge) required?
o Yes. §126.7. Wire-tapping or covert observation of information.

8. Do you consider that your current national law allows sufficiently effective securing of e-evidence when encrypted?
o Yes. Current legislation to gather evidence can be considered sufficient. The challenges related to encryption as more or less of technical nature.

10. In your view, will measures in this regard need to be adopted at EU level in the future?
o practical (e. g. development of practical tools for police and judicial authorities)
o improve exchange of information and best practices between police and judicial authorities
o create conditions for improving technical expertise at EU level

Basically, Estonian delegation answer can be read as “not interested in EU-level crypto backdoors”. Which is good, but could have been said more explicitly.

There are positive signs on EU-level for opposing legislation for backdoors:

Andrus Ansip, the Commission vice president in charge of the EU’s technology policies, has said he opposes laws that force companies to create backdoors to weaken encryption.

Europol, the EU law enforcement agency, and ENISA, the agency in charge of cybersecurity, signed an agreement in May opposing laws that strongarm firms into providing backdoors.

Links:
https://www.asktheeu.org/en/request/3347/response/11727/attach/5/Encryption%20questionnaire%20ESTONIA.pdf
https://www.techdirt.com/articles/20161127/18352736140/encryption-survey-indicates-law-enforcement-feels-behind-tech-curve-is-willing-to-create-backdoors-to-catch-up.shtml
http://www.euractiv.com/section/social-europe-jobs/news/five-member-states-want-eu-wide-laws-on-encryption/

Yearbook of Estonian courts 2015

estonian_courts_yearbook_2015
The focus of this Yearbook is on criminal procedure with special emphasis on surveillance operations. There are three articles that are of our interest.

“Supervision over surveillance”,  Uno Lõhmus, Visiting Professor at the University of Tartu:

In conclusion
First, full judicial pre-approval of surveillance operations, judicial supervision of the operations at the time of conduct thereof, and effective review of the operations after their completion are not ensured. Second, the rules on surveillance are laconic, incomplete and ambiguous, and the case law has not been able to improve this situation. In other words, legal clarity of the law is not ensured. This adds to the complexity of judges’ work and may also contribute to superficiality.

In addition, the case law does not clarify whether the installation of spyware in a computer system should be regarded as the installation of a technical means.

As of 1 January 2013, examination of traffic and location data in electronic communication is not considered to be a surveillance operation.

“Problems related to surveillance – the perspective of a defence counsel”, Küllike Namm, attorney-at-law:

In conclusion
This article focuses on the questions that have arisen in connection with surveillance operations and to which the current law does not provide answers. The discussion of these issues is intended to point out that the activities of public authorities in organising surveillance are inadequately regulated by the Code of Criminal Procedure. This creates a situation where the provisions on access to information on surveillance operations do not guarantee that a person subjected to surveillance can examine the data collected by surveillance operations and, where necessary, take possession of the data in a format that can be played back.

“Some problems encountered in computer system searches”, Eneli Laurits, Adviser to the Penal Law and Procedure Division of the Ministry of Justice:

Summary
The Code of Criminal Procedure of Estonia does not regulate computer system searches. It is relatively difficult to apply the existing rules to the collection of evidence in the manner described in this article, but it is still possible.

When performing an inspection, the body conducting proceedings is not entirely free of jurisdiction-related issues: for example, if the object of inspection is the social media website of a victim or a suspect, then the inspection of the website is complicated in theory, but simple in practice – a mouse click is enough to display various data within the territory of Estonia. An inspection can be based on cooperation (the subject voluntarily provides the user IDs and passwords), but there is always the possibility that voluntary cooperation fails. An investigative body should be able to rely on a legal regime in such cases.

Links:
http://www.riigikohus.ee/vfs/2071/Riigikohtu_aastaraamat_eng_veebi.pdf

Criminal procedure and digital evidence in Estonia by Eneli Laurits

digital_evidence_and_electronic_signature_law_review

It has been decided in Estonia that by the year 2020, a criminal file may be digital. Following on from this decision, it is necessary to decide how to incorporate into the law a regulation concerning digital evidence with the aim of seizing as much as possible evidence in its initial digital form, and ensuring the evidence is seized in the place where it is physically located.

This article aims to sum up the most common activities within which digital evidence might be taken, highlighting the potential problems of interest to the legislature when elaborating specific regulations for digital evidence.

Quite disturbing revelation is that by the current law, the law enforcement agents, after court authorized inspection, seizure or remote take-over of the computer system, are allowed to access any other remote resources that the system has access to:

The Advisory Guidelines on IT-Evidence, prepared on 24.05.2016 by law enforcement agencies, claim that in case of public investigative measures (inspection, search) and covert surveillance, no request for legal assistance is needed for data stored in cloud on foreign states’ servers.

For example, upon apprehension, a suspect has a computer or a smartphone unprotected with a password, and it is possible to obtain and to look through the information about the data stored, for example, in the cloud or in an e-mail box (which are not on the Estonian servers). Even when prosecutors approach the court on their own initiative, and by pointing out an obvious similarity between the search of a computer system and the search of a physical space to obtain permission from the court, preliminary investigation judges have so far found that such permission is not needed.

The Supreme Court has found that a permission granted by a prosecutor, and not by a court, is enough to observe, copy data in the person’s e-mail box (including when an e-mail box is located on a foreign state’s server) and to covertly examine a part of the server where a particular e-mail box is located, because messages are then not being transmitted, but they have already reached a recipient.

Links:
http://journals.sas.ac.uk/deeslr/article/download/2301/2254

Kapo eavesdropped on Savisaar outside criminal procedure

kaitsepolitsei

Lawyers defending Edgar Savisaar are hopeful to kill criminal case against the Centre chairman with just one move – asking that the initial evidence, the basis for all the rest, be declared invalid. This would be the piece of information acquired by security police which afterwards triggered the whole criminal case – by eavesdropping a private conversation between then Mayor of Tallinn Mr Savisaar and Meriton Hotel owner Aleksander Kofkin at the Balalaika.

While talking about the food, a topic slipped in which made police ears perk up. [..] After years of eavesdropping on Mr Savisaar, this for the security police seemed to be a sign that the mayor was involved in issues outside of official responsibilities. [..] While Mr Savisaar is contesting that, the main issue is the method of acquiring the information may not have been legally justified and thus the basis for all the rest of the case would fall off.

In Estonia, security agencies are allowed to eavesdrop on people and institutions outside criminal procedure to prevent danger and in the interests of security. For this, special permission is granted by an expert administrative judge. All related information and related issues (such as statistics) is state secret.

Years of eavesdropping without having a right to ever find it out, and overall statistics being a state secret. As EFF says: When electronic searches are done in secret, we lose our right to challenge the legality of law enforcement invasions of privacy.

Links:
http://news.postimees.ee/3785723/lawyers-of-savisaar-see-ray-of-hope

IT Law Conference on Legal Technology

it_law_conference_legal_technology

9:00 – Registration and Coffee
9:30 – Welcome and Introduction
Ülle Madise, Chancellor of Justice in Estonia
Helen Eenmaa-Dimitrieva, Director of the IT Law Programme, University of Tartu
9:45 – Keynote Address
Hannes Vallikivi, Chairman of the Board, Estonian Bar Association
10:15 – Innovative Technologies Influencing the Legal Sector
Ermo Täks, Associate Professor, Tallinn University of Technology
10:45 – Interoperability between IT and Law
Priit Parmakson, Architect, Estonian Information System Authority
11:15 – Blockchain Technology and the Law
Alex Norta, Associate Professor, Tallinn University of Technology
12:00 – Lunch Break
13:00 – IT Law Lab
Laura Kask, Legal Advisor at the Department of State Information Systems, Estonian Ministry of Economic Affairs and Communications
Ave Lauringson, Leading Specialist at the Information Society Unit, Estonian Ministry of Economic Affairs and Communications
Ave Piik, Head of the Intellectual Property and IT Law Commission, Estonian Bar Association; Head of IP/IT, COBALT
Karmen Turk, Litigation Attorney, Triniti Law Firm; Expert, Council of Europe; Visiting Lecturer in IT Law, University of Tartu
14:00 – Launch of the Legal Tech Competition
Hannes Vallikivi, Chairman of the Board, Estonian Bar Association
14:10 – 3-minute Pitches from Legal Startups
14:30 – Keynote Address: From Research to Innovative Legal Tech Products
Anna Ronkainen, Chief Scientist and Co-Founder, TrademarkNow
15:30 – Coffee Break
16:00 – Compliance and Digitalization. Launch of MyFondia Legal Platform
Bradley Mitchell, Senior Legal Counsel, Fondia
Anti Kodar, Managing Director, Fondia Baltic
17:00 – The Future of Legal Services
Risto Hübner, Chief Legal Officer, Nortal; Founder, Estonia Legal Hackers (Moderator)
Bradley Mitchell, Senior Legal Counsel, Fondia
Anna Ronkainen, Chief Scientist and Co-Founder, TrademarkNow
Tanel Erik Podar, Legal Counsel, Fortumo
Hannes Vallikivi, Chairman of the Board of the Estonian Bar Association
17:45 – Closing Remarks
Anne Veerpalu, Visiting Lecturer in IT Law, University of Tartu; Associate Partner, NJORD Law Firm; Founder, Estonian Legal Hackers
18:00 – Networking and Snacks

Links:
http://www.oi.ut.ee/en/studies/it-law-conference-legal-technology

Hacking systems protected by a simple password might not be an offense

Oskar_Gross

Oskar Gross, the manager of recently opened Cyber Crime Unit of Central Criminal Police writes in an opinion piece that Estonian legislation is at times more primitive than the actual cybercrime. Therefore, there may be a weird situation where hacking an account that is protected with a simple password such as “1234” is not an offense.

In the last commented edition of the Penal Code, the lawmaker rather boldly attempted to define the legal handling of computer systems’ passwords and security issues related to recovering password, and the end result is problematic in several aspects.

Penal Code has an important section §217 “Illegal obtaining of access to computer systems” which aims to penalize unauthorized access to computer systems. The commented edition of Penal Code clarifies that unauthorized access is not in case of amazingly simple passwords, such as “admin”, “123456” and “qwerty”, because such passwords can be guessed by an attacker or found from “the top worst passwords” on the Internet.

In short, this section comment says: “If you have a weak password, the access to your data is allowed.”

Links:
http://geenius.ee/uudis/arvamuslugu-kas-konto-parooliga-1234-avalik

Data Protection Inspectorate allows to process personal data in privacy-preserving manner

sharemind-it-students-deployments

In Estonia, the Ministry of Education and Science keeps track of students and the Tax and Customs Board keeps track of working (by tracking income tax payments). If data scientists could access these databases, they could find the correlation between working during studies and not graduating in time. However, this data cannot be shared because of the Personal Data Protection Act and the Taxation Act (not to mention the relevant EU regulation). This prevents such studies from being performed.

Personal Data Protection Act actually permits processing of personal data for research purposes (see § 16), although data mining in privacy-preserving manner might have some advantages.

We used the Sharemind Application Server with its analytics package Rmind to perform the study in a privacy-preserving way. The privacy-preserving solution was checked by the Estonian Data Protection Inspectorate. Their response was that our solution does not process Personally Identifiable Information (PII) in the meaning of the law.

For actual privacy of the study the institutions are required to audit the code which is being run on the Sharemind server. In this case Tax and Customs Board had a person having skills and willingness to audit the code:

Furthermore, the Tax and Customs Board reviewed Sharemind’s source code to ensure that everything is performed according to the study plan.

The  findings of the study:

Our study showed relations between higher education and higher income, but we found no relation between working during studies and not graduating on time. Instead, it turned out that Estonian students of all fields work an equal amount. Also, our data showed clearly the reduction of employment during the financial crisis in 2008.

Links:
https://www.youtube.com/watch?v=Age06E1TWaA
http://sharemind.cyber.ee/stories_privacy-preserving-policy-decisions.html
http://news.err.ee/v/politics/education/01447de3-b5ef-4863-a42b-8275eb823cab/studies-majority-of-it-students-drop-out-of-university
http://eprint.iacr.org/2015/1159

Talk by IT law and data protection specialist professor Lee Bygrave

Lee A. Bygrave

The IT law programme invites you to a discussion with a distinguished IT law and data protection specialist professor Lee Bygrave from Oslo University. He will give his talk on Friday, October 9, 2015, from 14.15 to 17.30 at the University of Tartu, Faculty of Law, Näituse 20 room 103. The talk will cover the following topics:

  • the US-EU cleavage on data protection regulatory policy;
  • the extent to which data protection rules can and ought to apply to use of human biological material;
  • regulatory policy on privacy-enhancing technology and privacy/data protection by design.

Lee Bygrave’s visit to Estonia is organized by the IT Law Programme. Additional information: Helen Eenmaa-Dimitrieva, Director of the IT Law.

Links:
http://www.ut.ee/itlaw
http://www.jus.uio.no/ifp/english/people/aca/lee/