As can be seen from the evidence of recent take-downs of hidden services, Tor users may not be granted 100% anonymity, thereby resulting in the possible situation of law enforcement processing personal data not necessary for the original scope of the investigation. It is also possible that Tor is used to access personal data stored in, for example, some of Tor’s hidden services. This is why the use of Tor by law enforcement for criminal investigations may entail processing personal data and may thus be limited by data protection legislation.
The US Supreme Court has given the thumbs up to an amendment from the advisory committee on criminal rules for the Judicial Conference of the United States, which contains updates to criminal procedures that allow law enforcement to go after Tor and VPN users. The amendment is nothing more than an update to Rule 41 of the Federal Rules of Criminal Procedure, but with a broader scope that allows law enforcement agencies to engage in surveillance and even the hacking of US citizens and the citizens of other countries.
New Rule 41 can allow law enforcement to go after TOR, VPN users
According to privacy advocates at the EFF, US judges across the country could use the new Rule 41 to issue warrants that grant police the right to hack, search, or seize their computers if law enforcement suspects they may be engaged in “concealed” traffic. The amendment does not go into technical details, but any user with the basic knowledge of Web technologies will know this refers to any tools to mask the user’s data. This list includes technologies like Tor, VPNs, or anything else where encryption is used to keep prying eyes away, even for good reasons.
Hiding your location online can get you on the “naughty list”
EFF’s representatives imply that law enforcement may even target users who deny sharing geolocation data via their browsers or those who advertise false location settings via their Twitter profiles. In legal terms, this can pass as concealment.
A big part of the Rule 41 amendment is also dedicated to users who suffered malware infections enslaved their PCs in botnets. Judges are allowed to issue warrants for hacking, searching, or seizing computers infected by such malware under the reasoning that this PC is part of a criminal group’s operation. Despite being a US law, the amendment gives US judges the same power over all computers anywhere on the planet, in a brazen and shameless violation of international law and the right of countries to govern themselves. The amendment to Rule 41 has been forwarded to the US Congress. According to US law procedures, Congress must disavow the amendment and its content by December 1, 2016, or it will become the de-facto official version of Rule 41 across the US.
“The change to Rule 41 isn’t merely a procedural update. It significantly expands the hacking capabilities of the United States government without any discussion or public debate by elected officials,” EFF’s Rainey Reitman wrote.
“If members of the intelligence community believe these tools are necessary to advance their investigations, then this is not the path forward. Only elected members of Congress should be writing laws, and they should be doing so in a matter that considers the privacy, security, and civil liberties of people impacted,” he also added.
Concerns about the possible processing of personal data during an investigation are certainly not specific to Tor. However, EU data protection reform will significantly affect law enforcement work, including possible investigative activities carried out via Tor when the data is processed personal data. This means that even if law enforcement uses Tor to access certain websites or services anonymously, the requirements and legal remedies deriving from the data protection regulation would nevertheless be applicable.
Despite the criminal procedure aspects traditionally not being subject to detailed EU regulation, the EU’s approach is changing. The Lisbon treaty puts forward the principle according to which data protection applies to the police and judicial cooperation in criminal matters. The proposal for reforming the EU data protection landscape (the General Data Protection Regulation) is supplemented by a proposal for the Directive on the protection of individuals concerning the processing of personal data by competent authorities for prevention, investigation, detection, or prosecution of criminal offenses or the execution of criminal penalties, and the free movement of such data. This proposal aims to harmonize the rules relating to the processing of personal data by competent authorities such as law enforcement and domestic processing. The proposal addresses the challenges raised by Framework Decision 2008/977/JHA, characterizing the latter as an instrument of ‘limited scope and various other gaps, often leading to legal uncertainty for individuals and law enforcement authorities, as well as to practical difficulties of implementation.’ After being adopted, the (now draft) Directive will be the principal instrument regulating the personal data processing by law enforcement.
These reforms are particularly noteworthy given the wide definition of ‘personal data in the EU. According to the Data Protection Directive 95/46/EC, personal data can be any information ‘relating to an identified or identifiable natural person, and an identifiable person ‘is unidentified, directly or indirectly, in particular by reference to an identification number or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. Until now, law enforcement’s activities have been exempt from the EU data protection rules. Adopting the proposed Directive will raise interpretative questions regarding the specific type of data that needs to be processed, such as the IP address.
Other issues may arise during the implementation of the proposed Directive and the use of Tor. While still in its draft version and thus subject to further changes, the proposal states, inter alia, that personal data must be ‘collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes (Art 4(2)), and ‘kept in a form which permits identification of data subjects for no longer than it is necessary for the purposes for which the personal data are processed (Art 4(e)). The proposal also calls for the need for ‘distinction between different categories of data subjects’ (Art 5) so that the Member States should ensure, as far as possible, that the controller makes a clear distinction between personal data of different categories of data subjects. There is no indication that law enforcement would be restricted from using anonymizing software during its investigations. Still, the actual collection of data while using Tor or its hidden services must follow these rules in the Directive. Practical implementation of these rules when collecting evidence via or within Tor may become challenging for national law enforcement. For example, it may not always be even possible to determine fully which parts of the data to be processed entail personal data (especially with data of a more technical nature such as IP addresses), and therefore whether personal data regulation applies to the processing of such data, and if so, to what extent. Neither is it clear what providing ‘clear distinction between personal data of different categories of data subjects’ would look like in practice when applied to, for example, large data sets published by Tor hidden services.