Italy's Supreme Court decision limits hacking powers and applies safeguards
Privacy International notes a recent ruling issued by Italy’s Supreme Court (Corte di Cassazione) that addresses the need to limit government hacking powers for surveillance purposes and articulates required safeguards when hacking is conducted as part of a criminal investigation.
The ruling addresses the appeals of several individuals involved in a case of corruption; the appeals challenge irregularities in the collection of data as part of the criminal investigation, which resulted in the arrest of one of the defendants. It is the latest in a series of judgments addressing government hacking and comes amidst changes to the Italian law regulating the interception of communications, which addresses government hacking in the surveillance context. The ruling points to the need for Italy and other states to thoroughly review their practices of hacking for surveillance purposes and stop these activities until and unless they can be demonstrated to be in full compliance with applicable international human rights law.
The investigative technique at issue in the case concerned law enforcement’s injection of malware into the phone of an individual under investigation. That malware permitted law enforcement to remotely turn on the device’s microphone and record conversations in the home of the defendant. Those conversations were eventually used as part of the evidence to justify placing the defendant under arrest. Furthermore, the recording of conversations through the hacked device continued even after the conclusion of the preliminary investigations.
The Supreme Court’s ruling requires the lower court to re-examine whether the use of hacking to intercept the conversations comply with the safeguards imposed by the Italian Code of Criminal Procedure as well as with Article 8 of the European Convention of Human Rights and Article 15 of the Italian Constitution, which protect the freedom and confidentiality of correspondence and other forms of communication.
Background: Italian Law Enforcement
Hacking In recent years we have seen law enforcement and intelligence agencies around the world expanding their use of various tools for remote and covert hacking through intrusive software. The Italian authorities have been employing hacking powers, without explicit statutory authorization or clearly defined safeguards from abuse, for years.
It has been well documented that Italian law enforcement has been utilizing malware (commonly referred to as “Trojans” in Italian discourse) to engage in hacking for criminal investigation purposes. In fact, according to one report “the use of malware is the method of choice for Italy’s law enforcement”. Initially, however, hacking did not require a warrant from the judge in charge of preliminary investigations because the courts did not consider hacking-based surveillance of devices to constitute a wiretap. Rather the order of the Public Prosecutor alone was deemed sufficient.
This situation changed in 2015, when the Supreme Court concluded that hacking by law enforcement should be considered “electronic surveillance” and thus should require a traditional “search and seizure” warrant. In doing so, the Court subjected such hacking to the Italian Code of Criminal Procedure.
Article 266 of the Italian Code of Criminal Procedure allows for the “interception of conversations or communications” in proceedings relating to a list of predefined serious crimes. Article 266-bis expands these powers to include the “interception of the flow of communications related to computerized systems”. However, Art. 266(2) prohibits any interception carried out in a home or dwelling, or in another building or structure of private ownership, unless there is reason to believe that criminal activity has taken or is taking place within that building.
In a subsequent ruling in 2016, the Supreme Court ruled that “online surveillance”, e.g.“real time interception” using malware, could be lawful under Article 266, but nonetheless noted that it must be “limited exclusively to proceedings relating to offences of organized crimes” (namely mafia and terrorism related crimes).
In March 2017, the United Nations Human Rights Committee expressed concerns regarding the hacking capabilities of Italian authorities, including law enforcement. The Committee found that Italy should “review the regime regulating the interception of personal communications, hacking of digital devices and the retention of communications data with a view to ensuring (a) that such activities conform with its obligations under article 17, including the principles of legality, proportionality and necessity, (b) that robust, independent oversight systems are in place regarding surveillance, interception and hacking, including by ensuring that the judiciary is involved in the authorization of such measures, in all cases, and by affording persons affected with effective remedies in cases of abuse, including, where possible, an ex post notification that they were placed under surveillance or that their data was hacked.”
In June 2017, the Italian Parliament approved a comprehensive reform of the Italian Code of Criminal Procedure, which explicitly addressed government hacking. While this reform could help to fill the current legislative gap in the use of hacking for investigative purposes, Privacy International believes that it lacks many of the safeguards required under existing international human rights law. In May 2017, Privacy International published a full analysis of the law (the analysis refers to the bill after it was approved by the Italian Senate but before the final vote in the lower Chamber, which approved the text without changes).
Government Hacking and Surveillance: Necessary Safeguards
In December 2017, Privacy International published an advocacy briefing addressing government hacking as a form of surveillance. Privacy International’s position is that, given the unique and grave threats hacking poses to privacy and security, governments may never be able to demonstrate that hacking as a form of surveillance is compatible with international human rights law. However, recognizing that many governments are already deploying hacking powers, the briefing details a series of safeguards, designed to help governments assess their hacking activities in light of applicable international human rights law. The safeguards address hacking activities whose purpose is either to gather evidence in a criminal investigation or intelligence or to assist the evidence or intelligence gathering process.
Among other aspects, our minimum safeguards highlight the complex assessment an independent judicial authority should carry out before any specific hacking operation is authorised. For example, this safeguard notes that this assessment must include an evaluation of the proportionality of any proposed hacking measure against its security implications. Embedding this evaluation into any assessment of proposed government hacking is necessary because hacking may place at risk the security of the devices, systems and networks on which many of those not explicitly targeted by the government rely.
While this latest judgment of the Supreme Court confirms that robust regulation of government hacking for surveillance purposes, including by establishing strong safeguards, is necessary, we remain concerned about some aspects of the ruling. In particular, the Supreme Court held that a request to authorise surveillance measures does not require the government to specify the concrete and technical modalities of the intended surveillance measure, and whether these change over the course of the investigation. It is exactly these types of technical details that are needed for a judge, supported by competent technical experts, to assess the necessity and proportionality of a hacking operation, including its privacy and security implications.
We will wait to see how the Italian government responds to the Supreme Court’s ruling. Until it does, investigative authorities will find themselves in an uncertain legal limbo, which can undermine their ability to carry out effective criminal investigations.