It is a powerful tool for security forces but problematic in terms of the Constitution and privacy laws. A draft bill drawn up by the Justice Ministry will allow judges to authorize police to install spyware programs on a suspect’s computer, tablet or smartphone in order to obtain potential evidence. The text states that this measure will only be used when a crime carrying a sentence of three years or more is suspected, and in cases of terrorism or organized crime.
Until now only Germany has enshrined similar legislation, although only to investigate suspected terrorist activities. But this measure, introduced in North Rhine-Westphalia, was later ruled unconstitutional by the country’s top court, which imposed strict limits on the future use of the measure.
The Due Process Tribunal would be responsible for investigating cases under the bill, while the public prosecutor would direct them to the Public Prosecutor’s Office after the submission of a “reasonable petition.” Once authorization is received, spyware software would be remotely installed on the target’s computer.
The Justice Ministry said that despite the content of the draft, no decision has yet been taken on remote searches of computers. “We will listen attentively to what the experts say on the matter but we will not make a decision until we have analyzed the conclusions that various organizations are preparing,” said a ministry source.
Once a program has been installed on a suspect’s machine, there is little the police cannot obtain. “Not only can information stored on the hard disk be accessed, but also passwords stored in the computer’s memory,” says Juan Carlos Ortiz Pradillo, a professor of procedural law at the University of Castilla-La Mancha. “With these passwords, email can be accessed as well as social networks such as Facebook, to find out where someone has been, who they have been in contact with or what their interests are, together with communication programs such as Skype, and everything the suspect has stored on servers such as Gmail or in the cloud. Passwords to decrypt information and details of bank transfers can also be obtained.”
New law will oblige IT experts and even hackers to provide police with services
Judicial authorization for spyware programs to be installed also extends to pen drives, memory cards and external hard drives. Internet providers will also be obligated to cooperate with the authorities to facilitate data access. Any citizen “who knows the functioning of the operating system or the measures applied to protect data contained therein will be required to facilitate the necessary information,” the text reads. That could mean the IT manager of a company, a programming expert or even a hacker, if it is considered the best way to get into a targeted machine.
Among the crimes that will be considered fair game for the authorities to invoke the proposed measure are any form of organized crime, internet fraud schemes, child pornography, the grooming of minors online and cyberbullying. In any case, the machine that will be accessed must physically be within Spanish territory.
“We are talking about a procedure that from the point of view of police operational abilities could be very useful, but from the point of view of basic rights is very invasive,” says the professor of procedural law at the University of the Basque Country, Alberto Saiz, an expert in communications intervention and currently director of the litigation department in the regional administration. “It will affect the right to personal privacy of the person being investigated and also the right to private conversation by permitting access to chats, Facebook, Skype and Twitter. Furthermore, unlike a telephone, a computer can be used by several people who, despite not being the object of the investigation, will have their rights infringed.” On this basis, Saiz considers the list of crimes that can trigger a virtual investigation excessively long. “A definitive list should be drawn up,” he notes.
The General Council of Spanish Law (CGAE) believes the move to harness new technologies is “positive” but also warns digital intervention is a “delicate” matter. Sources at the legal body question the need to remotely snoop around inside a computer. “If the IP address has been identified and the machine is in Spain, why not just go and seize it and then see what it contains?” said a CGAE spokesman. The CGAE also states that any judicial order to gain access to a suspect’s computer must be issued with a “concrete and determined objective.”
“It is for this reason that the draft bill includes very strict requirements for authorization by a judge,” says Nicolás González-Cuéllar, a professor of procedural law and a member of the panel that drew up the proposal. “The crime to be investigated has to be more serious than to warrant a mere phone tap and the authorization must justify the method as being proportional to the seriousness of the crime. Furthermore, the resolution must clearly delimit what the police can and cannot do.”
States of limitations
The only European precedent for Spain’s proposed bill to allow police to hack into private computers came about in 2008, when the German Federal Constitutional Court ruled against North Rhine-Westphalia’s decision to allow investigators in the state to access personal data on a suspect’s computer.
Court President Hans-Juergen Papier said that using such software contravened rights enshrined in Germany’s Constitution, adding that the decision would serve as a precedent across the country. The ruling laid out that use of the technique — which involves sending an email containing spyware software to the suspect’s computer — would require judicial authorization.
In the specific case in North Rhine-Westphalia, intelligence services had gained access to the personal computer of a suspected terrorist.
In the USA, the Patriot Act allows law enforcement agencies to access personal data held by US-based firms without having to inform the customer whose details have been revealed. This is the case at Microsoft, where information belonging to European users of the software giant’s cloud services could be handed to US investigators without their knowledge, the company said in 2011. EU law states that a company must inform its customer when asked to divulge personal data.
EU companies are prohibited by law from transferring data to regions other than the European Economic Area.