Provision of Real-time Lawful Interception Assistance

CODE OF CRIMINAL PROCEDURE

The Code of Criminal Procedure makes it possible to impose measures with a view to intercepting a person’s communications following a warrant by the examining magistrate (juge d’instruction/onderzoeksrechter). This warrant also needs to be communicated to the public prosecutor.

A warrant is an order coming from the examining magistrate in which he or she imposes special investigation measures, including interception measures. This order needs to explain why such measures are needed and under which circumstances they will be used.

Article 90ter of the Code of Criminal Procedure grants the examining magistrate, under specified circumstances and for specific cases, the power to issue real-time interception measures.

Article 90quater, Section 1 of the Code of Criminal Procedure states that the warrant issued by the examining magistrate and authorising the interception measure needs to be signed and needs to contain:

i. the indications and the concrete facts proper to the case justifying the interception measure(s);

ii. the reasons for which the measure is necessary to reveal the truth;

iii. the person, means of communication/ telecommunications and/or the place of surveillance;

iv. the period during which the surveillance can be executed (no longer than one month starting from the decision ordering the measure); and

v. the name of the criminal police officer that has been designated to execute the measure.

Article 90quater, Section 2 of the Code of Criminal Procedure states that if the interception measure implicates some kind of processing of a communications network, if the operator of this network or provider of a telecommunications service (‘electronic communications operator’) needs to cooperate, if the examining magistrate in person or through a police service requests so.

THE ROYAL DECREE 2003

The Royal Decree of 9 January 2003 on the modalities for the legal ‘cooperation duty’ in the case of legal action relating to electronic communications lays out the details of this cooperation duty. Article 6 of the Royal Decree deals with the ability for electronic communication operators to assist in real-time interception operations.

The Royal Decree on legal cooperation duty following legal actions states that every electronic communications operator needs to designate one or more persons being charged with the cooperation duty (ie the duty to cooperate with the prosecution and investigation authorities with a view to tracking down/identifying/intercepting certain data). These persons form the so-called ‘Coordination Cell Justice’. Electronic communications operators can decide to form a shared Coordination Cell. This Cell takes the measures which are necessary for interception of private communications or telecommunications following receipt of the warrant of the examining magistrate.

THE INTELLIGENCE AND SAFETY SERVICES ACT 1998

The Intelligence and Safety Services Act of 30 November 1998 states that intelligence and safety services are allowed to intercept a person’s communications, if national security is at stake. This interception can only be executed after a written request from the Director-General of the State Security (‘the Director-General’).

A real-time interception is a so-called ‘exceptional method for collecting data’. These exceptional methods need to be authorised by the Director-General. With regard to the exceptional methods, Article 18/10 of the Intelligence and Safety Services Act of 30 November 1998 describes the authorisation to be granted by the Director-General prior to the execution of the interception measures. Before this authorisation becomes final, it has to be made subject to the advice of the Administrative Commission supervising the specific and exceptional methods for collecting data by the intelligence and safety services (‘the Commission’). The advice of the Commission determines whether the relevant legislation and general principles of subsidiarity and proportionality have been respected. If the advice is negative, the interception measure cannot be executed.

The authorisation needs to be in writing and contain:

i. a description of the exceptional threats justifying the interception;

ii. the reasons why the interception is necessary;

iii. the names of persons or entities whose communications are being intercepted;

iv. the technical means used to intercept;

v. the period of interception; and

vi. the names of the intelligence officers involved in the operation.

With regard to an interception measure (in addition to the Article 18/10 authorisation), Article 18/17, Section 1 of the Intelligence and Safety Services Act of 30 November 1998 states that the intelligence services can intercept a person’s communications. Section 3 states that electronic communications operators are required to cooperate with the intelligence services if the interception requires processing by an electronic communications network.

As mentioned above, the Director-General needs to draft a written request to the relevant operator in order for the latter to cooperate. This request contains the advice of the Commission on the general authorisation to use interception measures (as laid down in Article 18/10).

THE ROYAL DECREE 2010

The Royal Decree of 12 October 2010 on specific rules for the legal ‘cooperation duty’ in case of actions of the intelligence services regarding electronic communications lays out the details of this cooperation duty. Every electronic communications operator needs to designate one or more persons being charged with the cooperation duty (ie the duty to cooperate with the intelligence services authorities with a view to tracking down/ identifying/intercepting certain data). These persons form the so-called ‘ Coordination Cell Justice’. Electronic communications operators can decide to form a shared Coordination Cell. This Cell takes the measures which are necessary to intercept private communications or telecommunications following the receipt of the written and reasoned decision of the Director-General of the intelligence services.

THE ELECTRONIC COMMUNICATIONS ACT 2005

Article 125, Section 2 of the Electronic Communications Act of 13 June 2005 (relating to interception demands coming from authorities competent in prosecution and investigation of criminal offences and/or the intelligence services), states that the King determines the modalities on the means to be put in place in order to identify, track down, localise, become aware of and intercept electronic communications. These modalities have been determined in the Royal Decree of 15 October 2010 mentioned above.

Article 127, Section 1, 2° of the Electronic Communications Act lays out the technical and administrative measures electronic communications operators need to take in order to be able to identify, track down, intercept and become aware of private communications (on demand of competent authorities and/or the intelligence services). If they do not take such measures (ie internal procedures for dealing with these requests), they are not allowed to offer the electronic communications service in respect of such measures.

Disclosure of Communications Data

THE ELECTRONIC COMMUNICATIONS ACT 2005

The Electronic Communications Act of 13 June 2005 contains provisions for the duty of electronic communications operators to provide metadata on demand from the competent prosecution/investigation authorities (see below – Criminal Procedure Code) and from the intelligence services (see below – Intelligence and Safety Services Act of 30 November 1998):

Article 122, Section 1 of the Electronic Communications Act of 13 June 2005 states that electronic communications operators may be required not to remove or to anonymise traffic data relating to subscribers or end users, if authorities prosecuting criminal offences or the intelligence services require them to do so.

Article 125, Section 2 states that the King determines the modalities on the means to be put in place with a view to identifying, tracking down, localising, becoming aware of and intercepting electronic communications.

Article 127, Section 1, 2° lays out the technical and administrative measures electronic communications operators need to take with a view to being able to identify, track down, intercept and become aware of private communications. If they do not take such measures (ie internal procedures for dealing with these requests), they are not allowed to offer the electronic communication services for such measures. The modalities on these measures have been determined in the Royal Decree on legal cooperation duty following legal actions, mentioned below.

THE ROYAL DECREES OF 2003 AND 2010

Article 6, Section 1, 1° of the Royal Decree on legal cooperation duty following legal actions and Article 8, Section 1, 1° of the Royal Decree on cooperation duty following intelligence service actions specify that the content of communications may be transmitted to the authorities prosecuting and investigating criminal offences as well as the intelligence services.

The requirements of the Electronic Communications Act as described above should also be borne in mind when considering the following criminal procedures and intelligence services-related procedures.

THE CRIMINAL PROCEDURE CODE

There are specific authorisations and notifications required for investigation measures set out under the Criminal Procedure Code:

• Article 46 bis: Following a reasoned written decision from the public prosecutor, an electronic communications operator may be required to provide data allowing a subscriber/user of an electronic communications service or an electronic communications service to be identified.

• Article 88 bis: Following a reasoned court order from the examining magistrate, he or she may require, directly or through a police service, an electronic communications operator to provide data allowing the identification and location of a subscriber or an electronic communications service.

For every means of telecommunication used and subject to a court order, the day, hour, duration and location of the call are recorded in an official report (proces-verbaal/procès-verbal).

THE INTELLIGENCE AND SAFETY SERVICES ACT 1998

Collection of identification and localisation data relating to a subscriber or end-user is classified as a specific method of investigation (whereas interception measures are considered to be exceptional methods).

Article 18/3 of the Intelligence and Safety Services Act of 30 November 1998 states that identification and localisation data can only be disclosed after a written and reasoned decision by the Director-General and after notification of this decision to the Administrative Commission supervising the specific and exceptional methods for collecting data by the intelligence and safety services.

Article 18/7, Section 1 of the Intelligence and Safety Services Act of 30 November 1998 states that the electronic communications operators have to provide data allowing the identification and/or localisation of a subscriber to or user of an electronic communications service as well as data relating to the means and ways of payment of the subscription fees and/or user fees of an electronic communication service. (The Director-General needs to address a written decision to the operators in order to obtain their cooperation, in addition to the Article 18/3 decision.)

Article 18/8, Section 1 of the Intelligence and Safety Services Act of 30 November 1998 states that the electronic communications operators have to provide data allowing the tracking of call identification data and locating the origin or the destination of the means of electronic communication.

The Royal Decree on cooperation duty following intelligence service actions, mentioned above, lays out the details of these requirements, ie that this communication of data needs to be done by the Coordination Cell of Justice.

National Security and Emergency Powers

ELECTRONIC COMMUNICATIONS ACT 2005

Under Article 4 of the Electronic Communications Act, the King can fully or partially prohibit the provision of electronic communication services in the interests of public security (after consultation with the Council of Ministers).

CIVIL CONTINGENCES ACT 2007

Under the Civil Contingencies Act of 15 May 2007, the government is given broad powers for a limited period of time during civil emergencies, which could in theory extend to a range of actions in relation to Vodafone’s network and/or customers’ communications data in Belgium.

For instance, Article 181 of the Civil Contingencies Act states that the Ministers competent for internal affairs and for health, or their delegates, may seize everyone and/or everything in the framework of interventions for missions of civil contingency (rescue missions, etc), if there are no public services available. In theory, this could also include the communications data and/or network of Vodafone.

Oversight of the Use of Powers

OVERSIGHT OF THE USE OF THESE POWERS

With regards to the interception measures ordered by the examining magistrate pursuant to the Criminal Code Procedure, the person whose communications have been intercepted can argue that the interception was illegal. He can do this before a pre-trial chamber (“Chambre du conseil/Raadkamer”), during the pre-sentence stage (before the case is treated on the merits). He can also do this during the treatment of the case on the merits before the Criminal Court, before the Court of Appeal or eventually before the Court of Cassation.

With regards to the interception executed by the intelligence and safety services act of 30 November 1998, there is administrative oversight. Article 18/10, § 6 of the Intelligence and Safety Services Act of 30 November 1998 outlines that, at any time, the members of the Commission can exercise control on the legality of the measures (including the principles of proportionality and subsidiarity). In order to exercise this control, they can go to places where the intercepted data are received or registered. They can request all useful documents and they can interrogate members of the intelligence services. If the Commission concludes that the threat(s) present at the origin of the interception measure no longer exist(s) or that the measure is no longer useful, it ends the interception measure (or suspends it in case of illegalities).

If the Commission concludes that the data are being obtained under illegal conditions, they are kept under the supervision of the Commission (after advice of another Commission, i.e. the Commission on the protection of the privacy (“Privacy Commission”)). The Commission prohibits the use of the illegally obtained data and suspends the measure if it is still in place.

Pursuant to Article 43/2 of the Intelligence and Safety Services Act of 30 November 1998 the so-called “Vast Comité I/Comité Permanent R” (“Vast Comité I”) is charged with the a posteriori control on the interception measures (i.e. the legality and the respect for the principles of proportionality and subsidiarity of the decisions in order to execute the interception measures and of the methods used). If the Vast Comité I concludes that the measure is illegal, it orders all data obtained through the measure to be destroyed and prohibits any exploitation of these data. There is no appeal possible against the decisions of the Vast Comité I.

Regarding the disclosure of communications data, pursuant to the Criminal Code Procedure, the persons whose communications data have been disclosed can argue that disclosure was illegal. He can do this before the pre-trial chamber (“Chambre du conseil/Raadkamer”), during the pre-sentence stage (before the case is treated on the merits). He can also do this during the treatment of the case on the merits, before the Criminal Court, before the Court of Appeal or, eventually, before the Court of Cassation.

With regards to the disclosure of metadata executed by the Intelligence and Safety Services act of 30 November 1998, there is administrative oversight. Pursuant to article 18/3, § 2 at the end of every month, a list of executed measures (among which the disclosure measures) is sent to the Commission. At any time the members of the Commission can exercise control on the lawfulness of the measures (including the principles of proportionality and subsidiarity). In order to exercise this control, they can go to those places where the disclosed data are received or registered. They can request all useful documents and they can interrogate members of the intelligence service. If the Commission concludes that the data is being obtained under unlawful conditions, such data may be kept under the supervision of the Commission after taking advice from the Commission on the Protection of Privacy (“Privacy Commission”). The Commission prohibits the use of the illegally obtained data and suspends the measures if they still are in place.

Under the Electronic Communications Act 2005, any Royal Decree can be challenged before the Council of State. The Council of State can then decide to confirm or repeal the Royal Decree.

There is no judicial oversight of the use of powers under the Civil Contingences Act 2007.

Censorship-related Powers

SHUT-DOWN OF NETWORK AND SERVICES

Under Article 4 of the Electronic Communications Act, the King of Belgium can fully or partially prohibit the provision of electronic communication services in the interests of public security after consultation within Belgium’s Council of Ministers. Such a Royal Decree could order the shut-down of Vodafone’s entire network or some of its services.

ELECTRONIC COMMUNICATIONS ACT

Under Article 4 of the Electronic Communications Act the King of Belgium can fully or partially prohibit the provision of electronic communication services in the interest of public security after consultation within Belgium’s Council of Ministers. Such a Royal Decree could order the shut-down of Vodafone’s entire network or some of its services.

BLOCKING OF URLS & IP ADDRESSES

The government does not have any legal authority to order Vodafone to block specified URLs and/or IP addresses.

However, the judge can order Vodafone to block IP addresses and/or ranges of IP addresses, if it appears that illegal material is being transmitted through the IP addresses it manages.

Chapter VI of Book XII of the Economic Law Code – the Law of the Electronic Economy – states that the competent judicial authorities may require internet service providers to terminate or prevent certain infringements consisting of the transmission of illegal material.

POWER TO TAKE CONTROL OF VODAFONE’S NETWORK

The government does not have legal authority to take control of Vodafone’s network.

Oversight of the Use of Powers (Censorship-related)

ELECTRONIC COMMUNICATIONS ACT

Any Royal Decree by the King can be challenged before the Council of State. The Council of State can then decide to confirm or repeal the Royal Decree.

BOOK XII, ‘THE LAW OF THE ELECTRONIC ECONOMY’ OF THE ECONOMIC LAW CODE

Any court order with a view to requiring internet service providers to terminate or prevent certain infringements consisting of the transmission of illegal material will be subject to classical judicial oversight at the time of the request. If made, a court order may be subject to an appeal before the Court of Appeal. The judgment of the Court of Appeal may be subject to a further appeal before the Court of Cassation.

Encryption and Law Enforcement Assistance

1. Does the government have the legal authority to require a telecommunications operator to decrypt communications data where the encryption in question has been applied by that operator and the operator holds the key?

Yes, under specific circumstances.

Article 8, Section 1, 4° of the Royal Decree on cooperation duty following intelligence service actions and Article 6, Section 1, 4° of the Royal Decree on legal cooperation duty following legal actions state that in communicating data to the competent prosecution/ investigation authorities or the intelligence agency, in the framework of surveillance measures, the content of the communication needs to be comprehensive. If the operators have encrypted or encoded certain data, they need to lift this encryption/code.

Article 127, Section 2 of the Electronic Communications Act prohibits any provision or use of a service or equipment hindering the execution of the measure which operators need to take to communicate certain data to the competent authorities, unless the encryption systems are being used to guarantee the confidentiality of the communication and the safety of payments (this prohibition is not applicable to electronic communication services provided on the basis of a prepaid card (this will change in the near future)).

Under Article 90quater, Section 4 of the Criminal Procedure Code, the examining magistrate can oblige competent persons to decrypt encrypted data, in order to obtain access to the content of the concerned data.

2. Does the government have the legal authority to require a telecommunications operator to decrypt data carried across its networks (as part of a telecommunications service or otherwise) where the encryption has been applied by a third party?

Under Article 90quater, Section 4 of the Criminal Procedure Code, the examining magistrate can oblige competent persons to decrypt intercepted encrypted data, in order to obtain access to the content of the concerned data.

More particularly, any person whom the examining magistrate estimates has particular knowledge of the telecommunications service subject to surveillance or of the services allowing the encryption of registered data can be ordered by the examining magistrate to provide information on how to decrypt the concerned information in such a way that its content is accessible to the examining magistrate.

The examining magistrate can order persons to make accessible the content of an intercepted telecommunication in the way he or she wants it to be accessible. The persons who have been given the order have to do so, as far as they are capable of doing so.

In other words, if the examining magistrate estimates that a telecommunications operator is capable of decrypting certain data carried on its network, he or she can order the telecommunications operator to decrypt that data or, at least, to provide assistance with a view to decrypting the data, even if the encryption has been applied by a third party.

Article 88quater, Sections 1 and 2 of the Criminal Procedure Code, contains the same rules regarding obtaining access to computer systems that are subject to a search ordered by the examining magistrate.

3. Can a telecommunications operator lawfully offer end-to-end encryption on its communications services when it cannot break that encryption and therefore could not supply a law enforcement agency with access to cleartext metadata and the content of the communication on receipt of a lawful demand?

As a principle under Belgian law, the use of encryption is free (this is stated under Article 48 of the Electronic Communications Act).

However, Article 127, Section 2 of the Electronic Communications Act prohibits any provision or use of a service or equipment hindering the execution of the measure which operators need to take to communicate certain data to the competent authorities, unless the encryption systems are being used to guarantee the confidentiality of the communication and the safety of payments.

In other words, as long as the telecommunications operator can demonstrate that the encryption software it offers does not aim to hinder the communication of data to the competent authorities, but aims to guarantee the confidentiality of the data and/or the safety of payments, the provision of encryption software is not contrary to its existing law enforcement obligations (the reasoning is the same for BAU and OTT services).

In practice, there are very few limits on the use of encryption techniques in Belgium.

4. Please provide examples in this jurisdiction where legislation which predated the advent of commercial encryption (which Vodafone estimates to be circa 1990) has been applied to contemporary cases involving encryption.

Vodafone has not found examples where legislation predating the advent of commercial encryption has been used to demand access to data protected by encryption.