UPDATED: May 2017 | SOURCE: Vodafone Group with support from Hogan Lovells
Provision of Real-time Lawful Interception Assistance
THE INTERCEPTION LAW
Article 22 of Law No. 9157, dated 4.12.2003 ‘On interception of electronic communications’, as amended (the Interception Law), provides that when the Albanian Intelligence Agency or the relevant ministry cannot implement an interception using only their own resources, the Director of the Albanian Intelligence Agency or the relevant minister may request the assistance of any operator of electronic communications in the Republic of Albania, and the operators Albania are bound to undertake all necessary steps in relation to such interception.
Under Article 6 of the Interception Law, the relevant organisations that have the right to require interception are: the Albanian Intelligence Agency, the Intelligence department/policy of the Ministry of Interior, Ministry of Finance and Ministry of Justice, or any other Intelligence/police service established by law. According to Articles 7–9 of the Interception Law, such request is made to the Attorney General or in his absence to any other prosecutor duly authorised by the Attorney General who will decide on the approval or rejection of the request for interception.
Under Article 21 of the Interception Law, operators of electronic communications, ie Vodafone, shall provide, at their own expense, the necessary technological infrastructure within 180 days from the issue of the request by the agencies that manage interception systems. The infrastructure for providing interception capacity shall be compatible with the equipment of the central interception point (which is the technical equipment managed by the Office of the Attorney General that allows or prevents interception of electronic communications) and the interception sector in the Albanian Intelligence Agency. If the operators of electronic communications undertake any technological change or extension in their system’s capacity, they shall cover at their own expense any changes required to maintain the intercept capability. In cases of changes in the central interception point that require changes in the infrastructure of the operators of electronic communications systems, the operators are notified of such changes at least 180 days before such change takes place.
Under Article 22 of the Interception Law, the operators of electronic communications shall be provided with a copy of the decision of the Attorney General or any of his authorised persons deciding on the interception, with restricted content removed that might impair the intelligence/interception process. Such decision shall include timeframes allowing operators of electronic communications to identify numbers, addresses and other relevant data that need to be identified for the interception. When necessary, the decision is accompanied with an additional document specifying other technical details. Note that the results of interceptions acquired according to the Interception Law cannot be presented as evidence in criminal proceedings, except for data obtained in accordance with Articles 221–226 of the Criminal Procedure Code.
CRIMINAL PROCEDURE CODE
Under Article 222 of Law No. 7905, dated 21.03.1995 ‘On Criminal Procedure Code’, as amended (Article 208, 191/a, 208/a, 299/a, 299/b – the Criminal Procedure Code), upon the prosecutor’s written application or that of the aggrieved party, the Court through a Decision may authorise the interception of communications. The interception is authorised when it is essential to the continuation of the initiated investigation or when there is sufficient evidence to support the charges. The relevant authorities (ie Attorney General, relevant ministries, Albanian Intelligence Agency, etc) have the capability to intercept electronic communication without the knowledge or approval of operators of electronic communications.
Disclosure of Communications Data
ELECTRONIC COMMUNICATION LAW
Operators of electronic communications have the duty to disclose to the competent organisations relevant communications data of their network users pursuant to the legal request of relevant public organisations made as per the procedure in accordance with the Law No. 9918, dated 19.05.2008 ‘On electronic communications in the Republic of Albania’ (Electronic Communication Law), Criminal Procedure Code or the Interception Law, as the case may be.
Article 101(6) of the Electronic Communication Law provides that the relevant authorities shall be provided with any files stored in relation to their users and such files shall be made available, in electronic format as well, without any delays to such authorities as prescribed in the Code of Penal Procedure, upon their request.
These files include data in relation to voice communication and SMS/MMS that make available the following:
a. full identification of the subscribers;
b. identification of the terminal equipment used in the communication; and
c. determination of location, date, time, duration and the outgoing/incoming number, including calls with no answer.
In cases of internet communication, the files shall include:
a. relevant data on the origin/source of communication:
- subscriber/user ID;
- name and address of the registered subscriber/user who owns the IP address, the identity of the user, or telephone number used during the communications;
b. relevant data on the identification of the destination/recipient of the communication:
- in cases of internet calls, the subscriber/user ID or the telephone number of the number called;
- in cases of email or internet calls, the name and address of the subscriber or user and the user ID of the aimed recipient of the communication;
c. relevant data for the determination of date, time and duration of the communication:
- log-in/log-off date and time;
- IP address, determining also if it is dynamic or static; and
- subscriber/user ID registered for the service of internet access.
All such data shall be retained in accordance with the applicable legislation on data protection in Albania. Operators of electronic communications have the duty to disclose to the competent organisations any files stored in relation to their users and such files shall be made available, in electronic format as well, without any delays to such authorities pursuant to the legal request of relevant public organisations made as per the procedure in accordance with the Electronic Communication Law and Criminal Procedure Code.
It is not legally permitted for operators in Albania to store the content of communications as only the data provided in Article 101(6) of the Electronic Communication Law are permitted in the files stored by the operators. Therefore, only this data can be retrieved by the relevant authorities in Albania.
DATA PROTECTION LAW
In addition, Article 6(2) of the Law No. 9887, dated 10.08.2008 ‘On Protection of Personal Data’ as amended (Data Protection Law), provides that the processing (including transferring) of personal data in the context of prevention and/or investigation of criminal acts, for criminal acts against the public order and other criminal acts, including those in the field of national security and defence, are undertaken by the responsible authorities provided by law.
CRIMINAL PROCEDURE CODE
Under Article 208 of the Criminal Procedure Code, the judge or the prosecutor (as the case may be, depending on the stage of investigation), based on a reasoned decision, shall decide on the seizure of material evidence relating to a criminal act when this is necessary to the confirmation of evidence. The seizure is made by the same authority issuing the decision or by any authorised police officer.
National Security and Emergency Powers
ELECTRONIC COMMUNICATION LAW
Article 8 (rr) of the Electronic Communication Law states that it is one of the duties of the Authority on Postal and Electronic Communication (the Authority) to undertake any measure or order in relation to the operators of public electronic communications to implement their obligations related to the protection of the interest of the country, of the public order, and during war or extraordinary situations. Under Article 111 of the Electronic Communication Law, operators are obliged, with their own networks and services, to face the state needs in extraordinary situations, and when requested to serve to the national defence and public order interests.
The operators providing access to the public electronic communications networks and providing electronic communications services available to the public shall develop and submit to the Authority a plan of measures to ensure the integrity of the public communications networks and to ensure access to their public communications services in extraordinary situations.
The Electronic Communication Law defines extraordinary situations as serious damages to the network, natural disasters, state of emergency or state of war. The Authority’s orders oblige operators to implement emergency measures throughout the duration of the extraordinary situation. The relevant minister, in cooperation with the other agencies legally authorised to cope with extraordinary situations and with the Authority on Postal and Electronic Communication, proposes to the Council of Ministers the measures to be included in the notices issued to the operators.
Additionally, under Law No. 8756, dated 26.03.2001 ‘On Civil Emergencies’, government authorities have the right to use any private or public means or to cooperate with organisations related to emergency situations, in order to avoid or limit consequences from disasters in accordance with the applicable laws, as long as such circumstances exist. This provision can be interpreted as to also be extended to a range of actions towards the network of electronic communication operators in national security orders or in civil emergencies.
Oversight of the Use of Powers
CRIMINAL PROCEDURE CODE
Under Article 222 of the Criminal Procedure Code, upon the application of the prosecutor or the aggrieved party, the Court authorises interception through a decision approving the legal interception, when it is essential to the continuation of the initiated investigation or when there is sufficient evidence to support the charges.
When there are reasonable doubts that any delays may impair the investigations, the prosecutor decides on the interception and issues an approval and informs the Court immediately, in any case not later than 24 hours. Within 48 hours from the decision of the prosecutor, the Court makes an assessment of the prosecutor’s decision. If such assessment is not made within these time limits, the interception cannot continue and its results cannot be used. The Interception Law also provides for cases of interceptions authorised through a Court decision always based on the relevant articles of the Criminal Procedure Code (Articles 221– 226). Article 212 of the Criminal Procedure Code provides that the defendant or the person against whom a seizure is sought or the person who filed the criminal suit are entitled to appeal against such Decision of the Court.
Under Article 23 of the Interception Law, the Attorney General or the prosecutor duly authorised by him provides for and communicates to the operator of electronic communications the decision of the relevant Court on the interception.
Operators of electronic communication are bound in principle by this duty of technological assistance and capability adjustment/adaptation related to interception (Article 21 of the Interception Law) pursuant to a request by the relevant organisations managing interception systems in accordance with the Interception Law.
SHUT-DOWN OF NETWORK AND SERVICES
Article 170 of the Albanian Constitution provides for certain extraordinary measures which the government may legally take under the conditions of war, natural disasters or other type of extraordinary situation in order to address such an emergency. Under this provision, it would therefore be possible for parliament to approve a specific law requiring the shut-down or taking control of a communication service provider’s network or services (such as Vodafone’s) for as long as the extraordinary situation, war or natural disaster existed.
Law No. 8756
Under Law No. 8756, where there is a civil emergency, government authorities may work with network operators (such as Vodafone) to avoid or limit the consequences arising from the civil emergency. A civil emergency is any major event that immediately and gravely endangers human life, cultural heritage or wealth, or the environment – such as a major ecological disaster, mass industrial action, social unrest (for example, riots), terrorist attack or war. The government authorities may use any private or public means, or cooperate with organisations, to resolve the situation, but must do so in accordance with applicable law. While the exact measures and powers are not described, according to this law, Vodafone is obliged to organise, when it is deemed necessary, the evacuation of their employees from their facilities and cooperate with the government to make available their services in response to an emergency situation in the area of the civil emergency. It may be feasible that in specific cases such cooperation between a network operator (such as Vodafone) and the government could extend to the shutting down of Vodafone’s network or services for as long as the civil emergency existed.
Electronic Communications Law
Under Article 76 of the Electronic Communication Law, the Authority on Postal and Electronic Communication has the right to revoke the authorisation of a network operator (such as Vodafone) to use the radio frequencies on which it operates its network. The Authority may only do so in specific circumstances.
Such circumstances include where the Authority identifies that the network operator’s licence application contained false data or the network operator has infringed provisions of the Electronic Communication Law or conditions of its authorisation (including payment of licence fees). The Authority may also remove the network operator’s licence if the network operator has not used the specified frequencies for one year or has used them for a different purpose to that authorised. Regardless of the network operator’s behaviour, the Authority may also revoke authorisation to use certain radio frequencies if doing so is the only means by which to avoid harmful radio interference.
The impact of revoking Vodafone’s authorisation to use some or all of its radio frequencies would have the practical effect of shutting down part or all of its network or services, depending on the extent of the revocation.
Under Article 111 of the Electronic Communication Law, Vodafone is obliged to withstand with its own network and services the state needs on extraordinary situations and national protection of security and public order. Based on this article, the government may propose different measures for addressing extraordinary situations related to the national protection of security and public order, which may include the government taking control of or shutting down a network operator’s network and services.
Under Article 134, the Authority on Postal and Electronic Communication may order that the equipment of a network operator be confiscated or that the network operator be banned from using it, if the network operator violates the law or causes harmful interferences to the network. The practical impact of this would be the shutting down of part or all of the network operator’s network or services.
BLOCKING OF URLS & IP ADDRESSES
The Authority on Postal and Electronic Communication may notify network operators to access to certain URLs, IP addresses and/or IP ranges if requested to do so by a public or regulatory authority. Most commonly, this would be the prosecutor’s office, a judicial court, or any other public institution which is given by the Law competences to make such decisions.
In late 2013, following the approach of the Albanian government against gambling, the Supervisory Unit of gambling activities liaised with the Authority on Postal and Electronic Communication and ordered all mobile operators and ISPs to block access on their networks to any website providing offshore online gambling services. Since then, offshore gambling websites have been blocked by network operators in Albania.
POWER TO TAKE CONTROL OF VODAFONE’S NETWORK
Electronic Communications Law
Please see ‘Shut-down of network and services’ above. Under Article 111, the government’s powers may extend to taking control of a network operator’s network and services, for as long as the extraordinary situation related with national protection of security and public order shall last.
Law No. 8561
Law No. 8561 provides the Albanian government (acting through central or local government authorities) with the right to temporarily take control of private property where to do so is in the public interest and such public interest cannot otherwise be protected. Under Article 27 such public interest includes where there is an extraordinary event (the meaning of which is outlined in Section 1 ‘Shut-down of network and services’ above) or war. Government use of private property cannot extend past the legal reason for which it was established and, in any event, for no more than 2 years. It is feasible that these powers could allow a government authority to take control of Vodafone’s network.
A request by the government to take control of private property must include a description of the property that will be taken control of; the reason and term of the control; and an offer of compensation to the owner of the property. Under Article 34, in exceptional and urgent cases when the circumstances do not allow any delay, the government authority may take immediate control of the property. However, within 24 hours the government authority must present a request for endorsement under Law No. 8561. Where private property is taken over by central government, such activity must be authorised by the relevant government minister.
Oversight of the Use of Powers (Censorship-related)
ELECTRONIC COMMUNICATION LAW
Under Article 136 of the Electronic Communication Law, decisions relating to the confiscation of equipment by the Authority can be appealed to the courts. Other decisions of the Authority are subject to the Administrative Procedure Code. The Code is a law which provide all the rules applied and used by all public institutions. Typically according to the Code, any decision of a public institution can be subject to court proceedings only after all the administrative appeal steps (i.e. appeal before the superior authority of administrative institution concerned) have been exhausted, unless the Code provides otherwise and allows direct appeal to the courts.
LAW NO. 8561
Under Article 37 of Law No. 8561, the owner of the property being taken control of by the government authority has the right to appeal to the courts against that decision. The property owner may also appeal the level of compensation offered or the specific conditions of the property use. Such appeal must be made within 30 days. Therefore, Vodafone could choose to appeal to the courts were a government authority to take control of its network.
Encryption and Law Enforcement Assistance
1. Does the government have the legal authority to require a telecommunications operator to decrypt communications data where the encryption in question has been applied by that operator and the operator holds the key?
Yes. The relevant legislation is the Criminal Code and the Interception Law, both of which are referred to at the beginning of this country section.
As addressed earlier in this country section, Article 22 of the Interception Law provides that when the authorities fail to implement the lawful interception, they may request the assistance of the operator; the latter is then bound to undertake all necessary steps in relation to such interception.
In addition, the Criminal Procedure Code (Article 208/a para 2), despite being a technologically updated provision, seems to impose a catch-all obligation to disclose data stored/held with the electronic communications operators.
Under these circumstances and having the obligation to enable/assist successful interception and disclose communications data, Vodafone concludes that the provision of decryption keys of such communications data in cases when the operator is in possession of the decryption key is mandatory by law.
Article 101(6) refers only to the traffic communications data and location data (otherwise known as call details records or relevant metadata) and does not cover the communication data that can be stored or held with the operator.
2. Does the government have the legal authority to require a telecommunications operator to decrypt data carried across its networks (as part of a telecommunications service or otherwise) where the encryption has been applied by a third party?
No. There is no explicit provision in the Interception Law that obliges operators to support decryption of communication on third party services. On the contrary, Article 21/1 of the Interception Law stipulates that operators should build the necessary infrastructure to ensure interception capability over their users/customers, which make use of the operators’ own electronic communication services.
In addition, under Article 3 of the Interception Law, only operators who are locally licensed/ authorised to conduct telecommunication activity are subject to the Interception Law, which means that any third party which is not licensed/authorised by a local regulatory body would not be subject to interception rules. It is therefore our implicit understanding that the duty to provide interception lies with a licensed operator’s own services/networks. Practically speaking, this means that in order for a law enforcement agency to capture all communication data in their country, all operators in that country would need to be licensed and bound by the interception rules.
Based on the above, decryption of third party communication data by a telecommunications operator could be interpreted as unlawful interception and a breach of communication privacy/secrecy law under the Constitution and the Interception Law.
3. Can a telecommunications operator lawfully offer end-to-end encryption on its communications services when it cannot break that encryption and therefore could not supply a law enforcement agency with access to cleartext metadata and content of the communication on receipt of a lawful demand?
There is not any express mandatory law provision that limits a telecommunications operator in providing end-to-end encryption on its communication services.
Nevertheless, from the perspective of interception obligations under the Interception Law, a telecommunications operator must offer, at its own expense, the technological solutions that would enable the competent authorities to perform the interception activity whenever it is required to do so. The issue with end-to-end encryption is that it makes it impossible to commit to decrypt the communications when and if requested.
Based on the above and acknowledging that end-to-end encryption limits a telecommunications operator’s capacity to comply with the lawful interception obligations, Vodafone concludes that in practical terms a telecommunications operator cannot offer end-to-end encryption because it would not be capable of decrypting such communication should the authorities request to intercept it at a laterstage.
4. Please provide examples in your jurisdiction where legislation that predated the advent of commercial encryption (which Vodafone estimate as circa 1990) has been applied to contemporary cases involving encryption.
There are no such precedents in Albania.