Tor and personal data

As evidenced by recent take-downs of hidden services, Tor users may not be granted 100% anonymity, potentially leading to law enforcement processing personal data beyond the original scope of their investigation. Tor can be used to access personal data stored in its hidden services, meaning law enforcement’s use of Tor for criminal investigations may involve processing personal data, thus being subject to data protection legislation.

Rule 41 and Its Implications
The US Supreme Court approved an amendment to Rule 41 of the Federal Rules of Criminal Procedure in 2016, significantly expanding law enforcement’s ability to target Tor and VPN users. The amendment allows judges to issue warrants for hacking, searching, or seizing computers suspected of being involved in concealed traffic, such as using encryption tools like Tor and VPNs. Privacy advocates, including the Electronic Frontier Foundation (EFF), have raised concerns about the broad scope of these powers and their potential impact on privacy and civil liberties.

The amendment also covers users whose computers are infected with malware, allowing judges to issue warrants for investigating or seizing these devices. This aspect raises significant international law concerns, as US judges can now issue warrants affecting computers globally, potentially violating the sovereignty of other nations.

GDPR and Data Protection
The EU’s General Data Protection Regulation (GDPR), which came into effect in 2018, has significantly impacted how personal data is handled in law enforcement investigations, including those involving Tor. GDPR sets stringent requirements for the processing of personal data, including data processed by law enforcement agencies.

Key GDPR Principles Applicable to Law Enforcement:
Lawfulness, Fairness, and Transparency:
Personal data must be processed lawfully, fairly, and transparently. Law enforcement must have a legal basis for processing personal data, and individuals should be informed about the processing activities.

Purpose Limitation:
Data should be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.

Data Minimization:
Only data that is necessary for the purposes stated should be collected and processed.

Accuracy:
Personal data must be accurate and kept up to date.

Storage Limitation:
Data should be retained only for as long as necessary for the purposes for which it was collected.

Integrity and Confidentiality:
Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

Cross-Border Data Transfers
Given the international nature of Tor and VPN usage, it’s essential to address the rules and challenges related to cross-border data transfers under GDPR.

GDPR Provisions:
GDPR requires that personal data transferred outside the EU be subject to adequate protection. This can be ensured through adequacy decisions by the European Commission, standard contractual clauses, or binding corporate rules. These measures ensure that data protection standards are maintained even when data crosses borders.

Law Enforcement Considerations:
Law enforcement agencies must navigate these provisions carefully, particularly in international investigations where data may be stored or accessed from non-EU countries. Cooperation between international agencies is essential, and mutual legal assistance treaties (MLATs) often govern these interactions.

Data Subject Rights
GDPR grants several rights to data subjects that may impact law enforcement investigations. Understanding these rights and their implications is crucial for law enforcement agencies.

Right to Access:
Individuals have the right to know if their personal data is being processed and to access that data. This right ensures transparency and allows individuals to verify the lawfulness of data processing activities.

Right to Rectification:
Individuals can request corrections to their personal data. Law enforcement must ensure that any personal data they hold is accurate and up-to-date.

Right to Erasure:
Also known as the “right to be forgotten,” individuals can request the deletion of their data under certain conditions, such as when the data is no longer necessary for the purposes it was collected for. However, this right can be restricted in the context of criminal investigations.

Right to Restrict Processing:
Individuals can request the restriction of processing their data under specific circumstances, such as when they contest the accuracy of the data or object to the processing.

Right to Object:
Individuals have the right to object to the processing of their data in certain situations, particularly where data is processed for direct marketing purposes or based on legitimate interests.

Data Protection Impact Assessments (DPIAs)
DPIAs are a crucial aspect of GDPR compliance, especially for high-risk data processing activities like those involving Tor. DPIAs help identify and mitigate risks to individuals’ privacy and ensure that data processing activities comply with GDPR requirements.

When Required:
DPIAs are required when data processing is likely to result in a high risk to individuals’ rights and freedoms. This includes large-scale processing of sensitive data, systematic monitoring of publicly accessible areas, and processing activities involving new technologies.

Conducting DPIAs:
The DPIA process involves several steps:

1. Identify the Need for a DPIA: Determine whether the processing activity is likely to result in a high risk to individuals.
2. Describe the Processing: Outline the nature, scope, context, and purposes of the processing.
3. Assess Necessity and Proportionality: Evaluate whether the processing is necessary and proportionate to the intended purpose.
4. Identify and Assess Risks: Identify potential risks to individuals’ rights and freedoms and assess their severity.
5. Mitigate Risks: Implement measures to mitigate identified risks and ensure compliance with GDPR.
6. Supervisory Authorities and Cooperation Mechanisms
7. Under GDPR, supervisory authorities play a critical role in overseeing data protection compliance and handling complaints from data subjects. Cooperation mechanisms between these authorities ensure consistent application of GDPR across the EU.

One-Stop-Shop Mechanism:
The one-stop-shop mechanism allows organizations to deal with a single lead supervisory authority in cross-border cases, simplifying regulatory compliance. The lead authority coordinates with other relevant authorities to ensure a coherent regulatory approach.

Mutual Assistance and Joint Operations:
Supervisory authorities cooperate through mutual assistance and joint operations to handle cross-border data protection issues. This collaboration ensures that data protection standards are upheld consistently across the EU.

Technological Considerations
Effective compliance with data protection laws requires the use of appropriate technical measures. These measures help ensure the security and privacy of personal data during investigations involving Tor.

Encryption and Anonymization:
Encryption and anonymization techniques protect personal data by making it unreadable to unauthorized parties. Encryption secures data during transmission and storage, while anonymization removes identifiable information, reducing privacy risks.

Data Minimization Techniques:
Data minimization involves collecting only the data necessary for the investigation. Techniques such as pseudonymization, where identifiable information is replaced with pseudonyms, help minimize the risk to individuals’ privacy.

Ethical Considerations and Best Practices
Law enforcement activities involving Tor and VPNs must balance investigative needs with ethical considerations and privacy rights. Adhering to best practices ensures that investigations are conducted responsibly and transparently.

Ethical Framework:
An ethical framework guides law enforcement in conducting investigations that respect individuals’ privacy and civil liberties. This framework emphasizes the principles of necessity, proportionality, and accountability.

Best Practices:
Law enforcement agencies should adopt best practices to ensure compliance with legal and ethical standards. These practices include:

1. Transparency: Clearly communicate the purposes and legal basis for data processing to individuals.
2. Accountability: Maintain detailed records of processing activities and implement robust data protection policies.
3. Security Measures: Implement technical and organizational measures to protect personal data from unauthorized access and breaches.
4. Regular Audits: Conduct regular audits and assessments to ensure ongoing compliance with data protection laws.
5. Directive on Data Protection in Criminal Matters
6. The GDPR is complemented by the Directive (EU) 2016/680 on the protection of personal data by competent authorities for the purposes of prevention, investigation, detection, or prosecution of criminal offenses. This Directive harmonizes the rules for data processing by law enforcement across the EU and addresses challenges posed by Framework Decision 2008/977/JHA.

Key aspects of the Directive include ensuring that personal data processed by law enforcement is:

1. Collected for specific, legitimate purposes.
2. Not further processed in a way incompatible with those purposes.
3. Kept no longer than necessary.
4. Distinguishable between different categories of data subjects.
5. The implementation of these rules poses practical challenges, particularly in the context of Tor investigations, where the nature of the data and its processing can complicate compliance.

Conclusion
The evolving legal landscape, including Rule 41 and GDPR, reflects the growing tension between law enforcement’s need to investigate criminal activities and the protection of individual privacy and data rights. Law enforcement agencies must navigate these complexities carefully, ensuring compliance with data protection regulations while effectively carrying out their duties. By adopting robust data protection practices and adhering to ethical standards, law enforcement can balance the demands of criminal investigations with the rights and freedoms of individuals.