Hello Europe, Joe Biden is gone - Bert Hubert's writings

Last Friday I attended a useful conference organized by Microsoft. It lived up very well to its title: “Justice, Security and Fundamental Rights: Dialogue on EU Law Enforcement Policies”

Many thanks are due to various proofreaders who improved this article tremendously.

From the original invitation

tl;dr: European thinkers and policy makers are acting and talking as if the US federal government and courts are still “normal”, or will soon be so again. They will not, and we should update our world view. Secondly, when we discuss data retention, we often do not specify that this could be a 24/7 location database of all EU phones and cars. If that is the goal, everyone should be super clear about that. Please do read on for the full story & fun legal details.

In attendance were representatives from the European Commission, academia, telecommunication companies, “big tech”, UK & member state governments, representatives of data protection authorities and civil society, Europol, ENISA and various other important institutes. An impressive lineup, and I commend Microsoft for convening us in Brussels.

In various panels, participants discussed public/private cooperation in law enforcement, flow of e-evidence within Europe and without. Also discussed, the current chaotic state of telecommunication data retention.

I think some progress was made in these discussions, but these are not easy problems to solve.

Two things struck me though. Firstly, that most of the discussion lived in a glorious past where the rule based order is going strong (it isn’t). And secondly, a worrying lack of clarity on what “data retention” actually is.

This all matters hugely for the upcoming EU Roadmap for effective and lawful access to data for law enforcement.

Donald Trump, the elephant in the room

We were three quarters through the meeting before someone mentioned Donald Trump. Up until that time, discussions assumed that the US government was conducting business as usual (“Joe Biden/Barack Obama”), that the rule of law was doing well there, and that the US Supreme Court would stick to existing case law.

People who really should know better argued for modes of operation, mutual trust and assistance, as if Joe Biden were still president.

Eventually I could no longer stand this and I posed a question to the panelists, should we not think more about the real world? And stop clinging to an imagined past where all was good (it also wasn’t), and we could pretend that EU citizens had meaningful recourse against US surveillance efforts.

To this I received an interesting answer, in relation to the Latombe case over at the EU Court of Justice. In short, French politician Philippe Latombe argued his rights were infringed by the EU-US Data Privacy Framework.

In an interesting ruling (as described in the link above), the EU Court of Justice ruled on the situation that existed when Latombe filed his suit, some time ago. And it decided that in the then prevailing circumstances, Latombe’s rights were not being infringed. The court also stated that only the European Commission can make decisions based on how things are today.

Now, there is a lot of discussion on if the General Court of the EUCJ was actually right in ruling so narrowly. Latombe appears to be appealing, so we may be getting a better answer later.

I asked if we should not spend more time on the reality and not on legal fictions, and the answer I got was that the EUCJ General Court in this kind of procedure could only think about legal fictions.

Procedurally this may be correct. But in Europe, it appears the established and learned thinkers on these things are clinging to a more comfortable past. It is never fun when reality overtakes your legal frameworks. Especially when the real world is so traumatizing and chaotic.

But if we want to make any progress, we should let go of these comfortable memories of the past. Because even if Trump were to disappear today, the damage to US institutes will easily take a decade to reverse. And it is not even certain that such a reversal would happen.

All this is extra important since most data relevant for European law enforcement (and security and intelligence services) is in fact held by US companies (Meta, Google, Microsoft, Apple). So whatever goes on in the US is therefore immediately relevant for how we do our investigations here.

So please, European thinkers & policy makers, do wake up, and legislate and rule based on the reality that is staring us in the face: the US is no longer a reliable partner, is not sticking to its case law, the rule of law there is already in a dire state, and deteriorating rapidly.

It should be noted that these US companies are in a difficult place. Harming European customers or hindering European law enforcement operations is also not good for them of course. However, they can’t ignore US laws that may force them to do so anyhow. This is quite the balancing act.

Data Retention, retaining what exactly? And for whom?

For a very long time, law enforcement has used telecommunication records to aid their investigations. Telecommunication companies were mostly government owned, and they retained call detail records for billing purposes. Such records tell you who called who, and for how long.

The more of these records you have, the more they can tell police and intelligence about suspects and “targets”. EU Telecommunication service providers however are under general obligations not to retain these records for longer than necessary. It is not entirely sure how long this is. Weeks? A few months? Will someone complain about their invoice from half a year ago?

Previously, various EU member state laws have obliged telecommunication service providers to generally retain such data for much longer periods. This legislation has had a sordid history with various courts, who were not convinced that our security situation was so dire that prolonged records of our activities should be stored.

Now, what data are we talking about? If this is the timestamp, “A number” and “B number” of ever rarer phone calls, that is one thing. However, under other readings, service providers should be keeping records of all locations of communications too. And these days, your phone is communicating all day long.

Such location data could perhaps be the antenna your phone was mainly on, or even the sector of the antenna, which tells you someone was to the north of a certain cell phone tower. Other mobile communication technologies might have even more precise location data. As an example, 2G GSM knows your exact distance to an antenna, which allows for triangulation of your reasonably precise location.

The details of what data is to be retained are highly technical and they matter A Lot.

Sadly, during many policy debates, no technical people are present, and “data retention” is discussed as an abstract measure for which we should craft harmonized legislation.

This allows us to minimize what this is all about (“who you called and for how long”), and might end up legislating a 12 month storage of all locations of all EU phone users (which by now includes cars and e-bikes as well). And that would be terrifying.

Also something that should not be neglected, if the data is retained, who can query it? And for what crimes? And in bulk or only targeted? Also no minor matter.

Now, for vain reasons, I had to miss out on the last 30 minutes of the conference, so perhaps this was discussed at the end. I sure hope so.

But I urge everyone who discusses the abstract concept of mandatory data retention to immediately ask what data we are talking about. Because if we legislate first and then only later find out what we did, that would be terrible.

Summarizing

This was a useful gathering of relevant people, and I was happy to see so much thinking going on. But Europe should not be fooling itself on the situation in the world.

Please stop citing US Supreme Court case law to tell ourselves things are good. The legitimacy of that court is a matter of serious concern, even in the US.

And when discussing the abstract subject of data retention, please at your earliest convenience specify im detail what this is about. So that we know if we are legislating the universal European location surveillance engine or not.

Thank you for your attention in this matter.