In case of cybercrime, do magistrates have the right to consult evidence on a mobile phone? The line between investigation and invasion of privacy seems thin. Nathalie Devillier, doctor of law, explains it in The Conversation.
Mon Compte Formation scams and scams, cyberattacks on hospitals, drug trafficking on the dark web… Large-scale data theft and delinquency on the Internet are on the increase. The value of our personal data has become so low ($20 for 10 million US e-mail addresses) that only massive collection of it is financially attractive to criminals.
On the other side of the spectrum, the public authorities chase these criminals, but in cyberspace the evidence allowing the identification of the author and the offense is by nature immaterial, intangible. They are computer traces (conversations on social networks, applications, contacts, e-mails, etc.) often deleted from their telephone or computer by the offender. How then to identify the perpetrator of the offense and the materiality of the alleged facts? Is refusing to unlock your mobile phone reprehensible? What code to apply in case of cybercrime?
Digital poses many challenges for judges
Many offenses are committed through information systems (all resources allowing the storage, processing and dissemination of information on our phones, computers and tablets) or targeting them such as ransomware. Criminal penalties do not deter cyber criminals.
It is this observation that opens the chapter “Fight against cybercrime” of the new cybersecurity code.
This book brings together elements relating to cybercrime that have so far been disparate because they come from several codes: criminal code, criminal procedure code, customs code, commercial code, consumer code, postal and electronic communications code, intellectual property code, defense code, monetary and financial code, internal security code.
The digital poses many difficulties for judges since the author is difficult to identify and locate but also because of the ipseity, which is specific to each person’s identity, digital evidence which is volatile and multiplies the difficulties of collection and storage of this data.
Connection data to find the perpetrator of an offense
How then can the perpetrator of a digital offense be identified? With login data. This is made possible by the obligation to retain connection data incumbent on Internet service providers, hosts and operators for the purpose of combating infringements (law for confidence in the digital economy, art. 6; postal and electronic communications code, revised in 2021, art. L34-1). The data may therefore be required by the judicial authority.
These solutions, resulting from three decrees issued in 2021, reflect the search for a balance aimed at preserving the freedom of Internet users following the coordinated action of several associations for the defense of individual freedoms (Council of State, French Data Network and others , April 21, 2021).
Traffic data is that which establishes the contacts that a person has had by telephone or SMS, the date and time of these contacts and the duration of the exchange. The location data make it possible to know the zones of transmission and reception of a communication made with an identified mobile telephone and to obtain the list of calls having limited to the same relay antenna. We speak of “fadettes” (for detailed invoices) in police jargon.
Magistrate Emmanuelle Legrand said during an intervention at the Institute for Advanced National Defense Studies (IHEDN) on November 16 that: “access to this data is crucial: digital evidence is volatile, unlike a trace of blood which can “reappear” by a biochemical analysis, the erased data is difficult to find when one does not know where it was stored by definition”.
We should add that the data decryption stage can slow down the investigation.
The penal code adapted in 2004 provides that the use of a means of cryptology to prepare or commit an offense or a crime (or to facilitate it) is an aggravating factor of the main offense (art.132-79). Means of cryptology means: “Any hardware or software designed or modified to transform data, whether information or signals, using secret conventions or to perform the opposite operation with or without secret convention. These cryptology means are mainly intended to guarantee the security of the storage or transmission of data, by making it possible to ensure their confidentiality, their authentication or the control of their integrity. »
These penalties are not applicable to the author or the accomplice of the offense who, at the request of the judicial or administrative authorities, gave them the unencrypted version of the encrypted messages as well as the secret agreements necessary for decryption.
Not giving the code of your smartphone can be a crime
Encryption is a popular technique. But is the simple fact of locking your mobile phone, your computer, a means of cryptology, a secret convention? If so, it is an offense for a suspect to refuse to provide unlock codes for devices in their possession.
Indeed, the refusal to submit this agreement to the judicial authorities or to implement it at the request of these authorities is punishable by three years’ imprisonment and a fine of 270,000 euros. The penal code adds that: “If the refusal is opposed when the delivery or the implementation of the convention would have made it possible to avoid the commission of a crime or an offense or to limit its effects, the penalty is increased to five years’ imprisonment and a fine of 450,000 euros” (art.434-15-2).
In other words, refusing to communicate the unlocking code of a mobile phone as a secret agreement is criminally reprehensible.
However, this unlocking then allows access to the data contained by the telephone, in particular the messaging services. Such a possibility has therefore been strongly criticized on the grounds that it would undermine the right to silence and the right not to contribute to self-incrimination laid down by the International Covenant on Civil and Political Rights (General Assembly of the United Nations and ratified by France, s.14).
When it comes to digital evidence, the line between investigative technique and invasion of privacy seems tenuous. It is this apparent contradiction that the Court of Cassation resolved in Plenary Assembly in its decision of November 7, 2022.
The Court clearly states that refusing to communicate the unlock code of a mobile phone can constitute an offence. In this case, a person arrested as part of an investigation in flagrante delicto for possession of narcotics had refused, while in police custody, to give the investigators the codes to unlock two telephones likely to have been used. Initially released in correctional, the criminal chamber of the Court of Cassation had decided otherwise by retaining the criminal qualification. Because it was not followed by the Court of Appeal for Reference in 2021, the case returned to the Plenary Assembly. The home screen unlock key of a smartphone is indeed a secret decryption convention.
The law is changing
In conclusion, if a cell phone has means of encryption (this is the case for most cell phones today) and it is likely to have been used for the preparation or the commission of a crime or an offence, its holder, who will have been informed of the criminal consequences of a refusal, is required to give the investigators the unlock code for the home screen.
Nevertheless, the deputy public prosecutor of the Court of Appeal of Caen, David Pamart warns: “We are still far from pronouncing the maximum provided for in terms of sanctions: 4 to 5 months of suspended imprisonment and 5,000 euros in fine whereas in the United States it is the prison for two or three years! »
This situation should change with the adoption of an amendment adopted during the debates on the orientation and programming bill of the Ministry of the Interior and aimed at increasing the penalties incurred in the event of an offense committed against an automated data processing system. Until now, fraudulent access and maintenance offenses in an automated data processing system are punishable by only two years’ imprisonment and a fine of 60,000 euros.
However, the extent of the acts of investigation that can be carried out in the preliminary investigation is governed by the Code of Criminal Procedure and depends on the qualification of the offense retained (for example a crime or misdemeanor punishable by at least three years’ imprisonment ). This new amendment proposes to increase the prison sentence incurred to three years in order to be able to carry out more acts of investigation, such as searches or geolocation (art.76 al.4 of the code of criminal procedure).
Nathalie Devillier, Associate Professor, Kedge Business School
This article is republished from The Conversation under a Creative Commons license. Read the original article.