This morning, BSA | The Software Alliance released Global Best Practices for Law Enforcement Access to Digital Evidence – a set of guidelines for law enforcement agencies and governments, as well as for technology providers, that address policies and procedures relating to law enforcement access to digital evidence. BSA’s best practices encourage stakeholders to protect privacy, security, transparency, and the rule of law, while fostering collaboration between law enforcement communities and providers in activities aimed to fight criminal activity and keep our communities safe.
As the types and volume of data continue to proliferate – from personal communication and health data, to data from Internet of Things (IoT) and medical devices – digital evidence has grown increasingly critical to law enforcement investigations. The European Commission estimates that digital evidence is now necessary in roughly 85 percent of criminal investigations, with more than half of all investigations requiring access to digital evidence stored outside a country’s borders.
As law enforcement agencies work to access and utilize the digital evidence needed to solve complex, often transnational, criminal investigations, they face growing challenges. Incomplete legal structures, insufficient law enforcement capacity, and underdeveloped investigatory processes can hamstring investigations and create unnecessary tension between law enforcement and technology providers.
BSA’s best practices offer a way to tackle these challenges.
BSA’s best practices for law enforcement and government empower criminal investigators to access digital evidence without compromising the security of the technology or the safety, rights, and opportunities of the citizens. These best practices are organized around the following five guiding principles:
- Safeguarding Fundamental Rights. Laws and policies should ensure the rights and liberties of citizens are safeguarded and incorporated at all stages of law enforcement investigations involving digital evidence.
- Narrowly Targeting Requests. Law enforcement agencies should request only the necessary information vital to a criminal investigation and should develop such requests through appropriate legal processes, including by pursuing minimization procedures.
- Cooperating Across Borders. Cross-border cooperation that provides mechanisms to reinforce procedural protections and legal safeguards, including through comity analysis and providing notification to a foreign government, is essential.
- Ensuring Transparency. Transparency is vital to sustaining public confidence in the authorities granted to law enforcement agencies, as well as maintaining appropriate conduct of the agencies in executing those authorities.
- Maintaining Collaborative Relations with Technology Providers. Laws and policies should recognize the equities of all stakeholders involved – promoting collaboration between the technology and law enforcement communities, while enabling industry to meet commitments to customer privacy and security.
Technology providers also have an important role to play in ensuring that law enforcement can carry out lawfully authorized criminal investigations in a responsible and collaborative manner. No provider should be asked to compromise customer privacy and security, but where providers can take reasonable measures to support lawful investigations, such measures can create tremendous benefits for the communities in which their customers live and work. BSA recommends that technology providers embrace the following best practices:
- Accessibility and Standardization. Technology providers should maintain a clearly identifiable online mechanism to receive law enforcement requests for data.
- Responsiveness. Providers should respond to law enforcement requests within a reasonable and defined time frame.
- Point of Contact. Providers should identify a single point of contact or contact mechanism to ensure accountability for the processing of requests.
- Guidance. Technology providers should maintain clear guidance on the types of data law enforcement agencies may access and the procedures for accessing it.
- Training. Training of investigators by technology providers can be a critical tool to aid law enforcement as they work to access and utilize digital evidence for legal criminal proceedings.
- Notification. Technology providers should notify data subjects when they receive a law enforcement request for the data subject’s data.
- Privacy. Technology providers should protect consumer privacy by establishing policies and mechanisms that prevent over-responsiveness and require appropriate laws and court orders to be obtained.
As the amount of data produced daily continues to grow, it is imperative that policymakers, law enforcement, and technology providers work together to shape laws and regulations that enable access to digital evidence in a manner that addresses the needs and rights of all involved stakeholders. BSA looks forward to working with both the public and private sector alike, to ensure due process and civil liberties are robustly protected, and that technology providers continue to meet their obligations to customers.
Learn more about BSA’s initiative on law enforcement access to data issues here.
Helping with law enforcement communities, while enabling the industry to meet commitments to customer privacy and security is the biggest challenge. Customer privacy is the most important aspect. Everyone is concerned about their privacy. law enforcement must be transparent. Transparency, as one of the basic principles of good governance. We have to work hard to meet all the demands and needs.