Privacy is a major theme in this quarter’s legal update, which covers the latest developments with the European Union’s ePrivacy Initiative, some new laws in the United States, recent court decisions, and law enforcement access to third-party data. We also recap some of the American Academy of Forensic Sciences’ recent presentations related to jurisprudence.
Has third-party doctrine become outdated?
How much should governments be able to access — and reconstruct — the vast amounts of personal data collected not just by telecommunications and financial services providers, but also social media companies, online retailers, and other commercial entities?
That’s the question behind our in-depth piece at Medium on whether third-party doctrine can hold up under courts’ and legislators’ scrutiny. Cloud storage and other forms of technology have made it both cheaper and easier for companies to respond to court orders to turn over that data, so we discuss various data sources that could end up being subject to search — and how courts, companies, and legislators might balance investigative value with privacy needs.
Balancing privacy and criminal investigation in Europe and India
In late December last year, the European Electronic Communications Code (EECC), which expanded the 2002 Privacy and Electronic Communications (ePrivacy) Directive’s definition of “electronic communications services,” went into effect.
The law imposed new confidentiality responsibilities around communications and data processing for EU-based providers of electronic communications services, reported the nonprofit WePROTECT Global Alliance.
In doing so, the law introduced “significant ambiguity around the legality of the use of online detection tools that enable the identification and removal of suspected child sexual exploitation and abuse (CSEA).”
Image hashing services such as Microsoft’s PhotoDNA and artificial intelligence approaches to both imagery and child luring, such as Google’s CSAI Match, were impacted, WePROTECT reported.
In the wake of proposed interim legislation that would have remained in effect until 2025 — had it passed — Microsoft and others pledged to continue using the tools, but others including Facebook had curtailed their usage, “leading to widespread concern about the increased risk to children and a reduced capacity of law enforcement to identify offenders.”
Indeed, in February the National Center for Missing and Exploited Children (NCMEC) reported a 51 percent decrease over six weeks in E.U.-related child exploitation reports since December.
More recently, the Court of Justice of the European Union weighed the privacy of a defendant’s cellular location data against its benefit to a criminal investigation. In that case — following on other, similar decisions — 11 judges found that such data could be used only to investigate serious crimes, not more pedestrian theft or fraud cases.
Referred the case by Riigikohus, the Estonian Supreme Court, the Court of Justice held that even small amounts of data for limited periods of time could “provide precise information on the private life of a user of a means of electronic communication.”
The High Court of Karnataka also recently ruled in favor of personal privacy when it comes to electronic evidence: search warrants are needed to acquire data from personal digital devices. The court’s guidelines include the requirement for qualified forensic examiners to accompany investigating officers during on-premises searches and to follow a number of best practices to collect data.
New U.S. privacy laws continue to go into effect
We previously covered the California Consumer Privacy Act and its implications for digital forensics examiners. Besides that state passing an updated version of its law — the California Privacy Rights Act (CPRA), which now covers “sensitive personal information” — other states are beginning to follow its lead.
Virginia enacted its Consumer Data Protection Act (CDPA), which blends elements from the CCPA and CPRA as well as the European Union’s General Data Protection Regulation (GDPR). It goes into effect on January 1, 2023. JD Supra also reported on Florida’s House Bill 969, which “in many ways mirrors the [CCPA] before the passage of the [CPRA], but HB 969 also incorporates aspects of the CPRA.”
Consider these laws and the EU ePrivacy Initiative in light of a recent article in which privacy attorney Kathryn Rattigan questioned: what are mental health apps doing with our data? With a focus on consumer privacy, the article noted that laws such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) doesn’t apply to these apps. Furthermore, app privacy policies aren’t always clear on how data is used.
Investigative and legal implications exist, too, though. For one thing, data from a sign-in to a mental health app could help to authenticate who was responsible for data entered in a device. For another, data from the app could serve as a defense, depending on the crime under investigation.
Post-Brexit and related jurisdictional issues with digital data
Government access to private data isn’t just a matter of privacy. It’s also a matter of jurisdiction, as one recent case and one academic paper both point out.
In a case that predates the enactment of the 2018 Clarifying Lawful Overseas Use of Data (CLOUD) Act and the 2019 signing of a bilateral, United States-United Kingdom treaty according to that law, the UK Supreme Court ruled in February this year that “the Serious Fraud Office (SFO) could not force a foreign company to hand over material that it holds abroad through a notice issued under Section 2(3) of the Criminal Justice Act 1987 (the Act).”
Noting that “even [the bilateral agreement] is not fully operational due to the US not yet passing all of the requisite reciprocal domestic legislation,” attorneys Molly Brien, Vanessa McGoldrick, and Elizabeth Robertson wrote for JD Supra that future extraterritorial requests for data would demonstrate how the UK’s CLOUD Act equivalent, the Crime (Overseas Production Orders) Act 2019, would apply in similar cases going forward.
At Forensic Science International: Synergy, meanwhile, Northumbria University Law School professor Tim Wilson wrote about “The prospect of significantly reduced and potentially unstable EU-UK criminal justice cooperation under the 2020 Trade and Cooperation Agreement (TCA) unless criminal justice professionals and academics can help to shape its future development.”
Wilson observed “a spectrum of continuity/discontinuity in cooperation from January 1, 2021 onwards” in terms of data sharing and mutual legal assistance, among other factors. However, he also observed opportunities “for law enforcement officers, prosecutors, forensic scientists and technologists, even for human rights lawyers and academics to engage with Part Three rule-making and to influence future cooperation strategy.”
Jurisprudence and forensic science at the AAFS
Also this quarter, the 73rd Annual Scientific Meeting of the American Academy of Forensic Sciences was held virtually. Its proceedings included an array of jurisprudence-related papers, some of which are relevant to attorneys and the digital forensics examiners who work with them:
In “Digital Evidence in Criminal Cases Before the United States Courts of Appeal: A Follow-Up Study on Trends and Issues for Consideration,” Martin Novak described how digital evidence has withstood challenges in appeals of criminal cases before the United States Courts of Appeal.
A follow-up to his AAFS presentation in 2020, Novak’s research examined cases brought before the United States Courts of Appeal between January 2016 and June 2020. The digital evidence in these cases included wearable devices, devices at the border, network investigative techniques used in online investigations, and cell site location information (CSLI).
In “#DataStories,” Paul Reedy described an approach to digital forensic investigations that could help address specific challenges with data volumes stemming from the Internet of Things and 5G networks, pandemic-related criminal opportunism, deep fakes, and “the weaponization of social media.”
Reedy argued that data can no longer be examined in isolation. Instead, he encouraged supplementing more traditional digital forensics — including newer techniques such as artificial intelligence — with the use of multidisciplinary teams. By relying on experts with a range of skills and knowledge, investigations could tell whole stories using large volumes of different forms of data from multiple sources.
Digital evidence in conviction integrity
“Cell Phones Are the New DNA: The Emerging Role of Mobile Device Forensics in Wrongful Conviction Exonerations” compared and contrasted mobile and DNA evidence. Attorney John Carney argued for effectively using mobile device forensics, particularly related to patterns of life, to recover new evidence in wrongful conviction challenges.
Part of that argument was a review of a Minnesota case in which advanced mobile device forensic examination of the victim’s feature phone from March 2008 recovered evidence that contradicted eyewitness testimony of a first-degree murder, leading to a new trial for a defendant originally sentenced to life without parole.
“Lessons Learned From the Creation and Operation of Conviction Integrity Units (CIUs) in District Attorney’s Offices in Texas” sought to help attendees understand the intersection of forensic science and legal issues in the context of actual innocence case reviews in CIUs in Texas.
Although the presentation took a broad view of forensic evidence, lessons for digital forensics included prosecutor communication with forensic scientists and the need for policies regarding the reevaluation of previously examined evidence.
In “Forensic Laboratories: Time to Lawyer Up,” attorney Amy Curtis Jenkins detailed the role of in-house counsel in the forensic laboratory setting — including the guidance that an in-house attorney could provide to scientists and lab managers, along with advocacy within the criminal justice system. Part of Jenkins’ presentation: the need for independent forensic labs.
“Science, Technology, and Jurors: An Update” took a second look at the “CSI effect” myth that has developed over the past 10 years and contrasted it with the more significant “tech effect.” Rather than jurors’ television viewing habits informing their requests for scientific evidence, in other words, “the impact of the technological and informational revolution in our society” was the more likely cause.
At the same time, “a growing politically based ‘anti-science’ movement” coupled with media coverage of various examples of police and forensic lab misconduct, mistakes, and wrongful convictions could have a dampening effect on the presentation of scientific evidence to juries.
Standards and standardization
“Putting Words in the Mouth of the Expert: Using Rules of Evidence to Script Expert Testimony Based on the President’s Council of Advisors on Science and Technology (PCAST) Principles” considered how amending rules of evidence — specifically, U.S. Federal Rule of Evidence 702 covering the admissibility of expert witness testimony — could help to reform forensic science by requiring judges to dictate expert word choices in expressing opinions on the stand.
In a similar vein, a workshop held at AAFS discussed “The Use of Structured Argumentation to Support Conclusions: A Video Authentication Case Study.” Presenters Patricia Mullaney, Virginia Franqueira, Joseph Remy* and Graeme Horsman described the benefits of applying a structured argumentation framework both to individual cases and within the criminal justice system. Notably, the framework can support case claims and resolutions, and with consistent application could make for more equitable, less resource-intensive case results.
“Implementing Organization of Scientific Area Committees (OSAC) Standards at the Local Level: Lessons From Texas” discussed successes and challenges in making the standards and guidelines work at a practical level for laboratories with varying resource levels, as well as efforts to educate lawyers and judges on the significance and scope of OSAC work product, in that U.S. state.
In “The Need for Ethical, Legal, and Social Implications (ELSI) Evaluations in Forensic Science Methods and Police Investigative Technologies,” the Innocence Project’s Sarah Chu argued: “…the criminal legal system has pressed forward in supplying law enforcement with investigative technologies without due regard to their validity, reliability, efficiency, and just application.”
Chu was talking specifically about DNA evidence, but reflecting “the national uproar to the use of facial recognition technology,” Chu alluded to widespread digital technology in use in other quarters, of which digital forensic technology would naturally be part.
Forensic Focus covered additional AAFS presentations on the technical side of digital forensics in February’s research roundup.
*Joseph Remy is a legal/technical advisor for the Forensic Focus Legal Update.
Have a piece of legal analysis or other relevant material you’d like us to publish, or mention in our next quarterly legal update? Please email [email protected]!