UPDATED: May 2017 | SOURCE: Vodafone Group with support from Hogan Lovells
Provision of Real-time Lawful Interception Assistance
Real-time lawful interception forms part of the criminal investigation powers of the law enforcement agencies (LEAs), ie police, carabinieri, tax police and other authorised agencies: LEAs and intelligence agencies, as authorised by the competent judge or prosecutor.
ITALIAN CRIMINAL PROCEDURE CODE
(Articles 266 to 271 of Italian Criminal Procedure Code): in the investigations related to certain crimes listed in Article 266 (eg crimes concerning arms and explosive substances, crimes committed with criminal intent punished with imprisonment up to five years, etc), the public prosecutor is entitled to ask the judge of the criminal investigation (GIP) to authorise real-time interceptions, if there are serious suspicions that the target is involved in the case and interception is necessary for the collection of evidence. In matters of urgency, the public prosecutor can directly authorise interceptions but the GIP shall validate such authorisation within 48 hours. Interception orders are granted for 15 days, renewable for further periods of 15 days (Article 267 of the Italian Criminal Procedure Code). In the case of investigations into organised crime (eg Mafia cases), interception orders are granted for 40 days, renewable for further periods of 20 days. Real-time interceptions can also be authorised for electronic and telematics communications (section 266 bis of the Italian Criminal Procedure Code).
IMPLEMENTING PROVISIONS OF THE CRIMINAL PROCEDURE CODE
Preventive interceptions by LEAs (Article 226 of Legislative Decree No. 271 of 1989): for the purpose of preventing specific crimes (eg committed by criminal associations and international terrorism organisations or for terrorism purposes through electronic devices), the Minister for Home Affairs or, where delegated by the latter, the Head of the Central and Interprovincial Department of LEAs or, in certain cases, the Head of the Anti-Mafia Investigation Department are entitled to ask the public prosecutor to authorise real-time interceptions. Interception orders are granted for 40 days, renewable for further periods of 20 days.
LAW DECREE NO. 144 of 2005, AS AMENDED BY LAW NO.155 of 2005
Preventive interceptions by intelligence agencies (Article 4 of Law Decree No. 144 of 2005, as amended by Law No. 155 of 2005): the Prime Minister and, where delegated by the latter, the heads of Italian intelligence agencies (ie AISE and AISI) are entitled to ask the General Prosecutor before the Rome Court of Appeal to authorise interceptions for their scope of work, including enforcing national security. The General Prosecutor can authorise the requested interceptions through a reasoned decision. Interception orders are granted for 40 days, renewable for further periods of 20 days.
Given the legal framework described above, the relevant legislation regulating technical interception capabilities are the following:
Legislative Decree No. 259 of 2003 (Electronic Communications Code), prescribes that electronic communications service providers, including both Communications Service Providers (CSPs) and Internet Access Service Providers (ASPs), shall comply with any order for interceptions issued by judicial authorities; times and means are agreed with those authorities until approval of the repertoire referred in paragraph 2 of Article 96, not yet adopted.
On 15 December 2005, the Italian Privacy Authority, on the basis of the powers conferred to it by Legislative Decree No. 196 of 2003 (Data Protection Code) issued specific guidelines, prescribing to CSPs and ASPs a number of security measures with respect to mechanisms adopted by the CSPs and ASPs for dealing with judicial/ LEAs’ requests and delivering of intercepted products to LEAs, judicial authorities and intelligence agencies.
ELECTRONICS COMMUNICATION CODE
As a general rule, Article 96 of the Electronic Communications Code requires CSPs and ASPs to provide communications assistance and information to judicial authorities and LEAs for the purposes of criminal prosecution and national security. Pending the adoption of the intercept users’ requirement (nicknamed Repertorio), provided for by Article 96(2) (a detailed specification of mandatory interception services and technical standards that has never been formally adopted, although a draft of it has been confidentially shared with telecom operators), technical capabilities are, from time to time, agreed between the CSPs/ ASPs and public prosecutor/LEAs.
ITALIAN PRIVACY AUTHORITY’S GUIDELINES
The Italian Privacy Authority’s Guidelines of 15 December 2005 require CSPs and ASPs to implement a number of organisational and security measures in respect of lawful interception and the exchange of information with LEAs, judicial authority and intelligence agencies.
The main security measures prescribed by the Italian Privacy Authority are the following:
a. Organisational aspects of security:
– adoption of an organisational model to limit the knowledge of personal information processed;
– appointment of the persons in charge of the data processing, including a control of the authentication systems and the access to data processed;
– separation of data (accounting data from documentation data produced); and
– strong authentication procedures, including also biometric verification.
b. Security of the information data flows from/to LEAs, judicial authority and intelligence agencies:
– use of communications systems based on secure network protocols;
– adoption of digital signatures to encode documents;
– use of encoding systems based on digital signatures for all the communications with the judiciary authority and LEAs;
– use of certified electronic mail (PEC); and
– delivery of the documents by hand exclusively through persons appointed by the judiciary authority, keeping a register of the deliveries.
c. Protection of data processed for criminal prosecution/national security:
– development of electronic means to ensure the control of the activities performed by each person in charge of the data processing with audit log registrations;
– adoption of advanced encoding instruments for the protection of data during storage in the information technology systems of the CSPs/ASPs; and
– limitation of retention of personal data for no longer than is strictly necessary to perform the order of the judicial authority providing for the cancellation of data immediately after the correct transmission to the judicial authority.
Recording of intercepted products has to be carried out by law enforcement monitoring facilities (LEMF) located in the building of the local/district prosecutor. However, in the case of interception of ‘data’ communications, the public prosecutor may order that the relevant interceptions be carried out by means of equipment owned by private companies or individuals (Article 268(3 bis) of the Italian Criminal Procedure Code) outside the prosecutor’s building.
Disclosure of Communications Data
According to the relevant provisions of the Italian Criminal Procedure Code and Legislative Decree No. 271 of 1989, CSPs and ASPs can be required to provide LEAs (duly authorised by the judicial authority) with metadata relating to customers’ communications within a criminal investigation as follows:
a. Seizure of data in the possession of CSPs/ASPs within criminal proceedings (Article 254 of Italian Criminal Procedure Code): The judicial authority has the power to order the seizure of any information that CSPs possess, including metadata, voicemail or an unread email in an inbox relating to customers.
b. Access to customers’ data by LEAs (Article 226(4) of Legislative Decree No. 271 of 1989): For the purpose of preventing crimes by criminal associations and international terrorism organisations or crimes committed for terrorism purposes through electronic devices,the Minister for Home Affairs or, where delegated by the latter, the LEAs’ Head of Regional Department or, in certain cases, the Head of the Anti-Mafia Investigation Department are entitled to ask the public prosecutor to order CSPs/ASPs to trace telephony and data communications and to authorise access to data relating to such communications and to any other relevant information stored by CSPs.
According to Article 96 of the Electronic Communications Code, CSPs and ASPs can be required to provide LEAs with information and metadata relating to customers in respect of the retention period established in Article 132 of the Data Protection Code (Legislative Decree No. 196/2003 and subsequent amendments).
According to the relevant provisions of the Italian Criminal Procedure Code, Legislative Decree No. 271 of 1989 and Electronic Communications Code, CSPs and ASPs can be required to provide LEAs (duly authorised by the judicial authority) with communications data stored in their database.
In addition, Article 55 of the Electronic Communications Code sets forth the obligation for CSPs and ASPs to provide the Minister of Internal Affairs with a list of all their customers or purchasers of pre-paid mobile traffic. The judicial authorities can have access to such list for the performance of their duties.
Furthermore, according to Law No. 124 of 2007 on the reorganisation of the intelligence agencies, CSPs/ASPs can be required to cooperate with and provide access to their archives to intelligence agencies. This obligation has been recently clarified by the Prime Minister’s Decree of 24 January 2013 on cyber security, which directly refers to this law. The Decree states that CSPs/ASPs are required to cooperate with intelligence agencies (AISE and AISI) and the National Security Department (DIS) according to their respective competences as set out by Law No. 124 of 2007, on the basis of specific operational agreements, in the interest of national security: ie in order to protect the independence, integrity and security of the Italian Republic from any internal or external subversive activity and criminal or terrorist attack. Furthermore, CSPs and ASPs shall provide information to and allow AISE, AISI and DIS to access their databases.
Finally, Law Decree No. 7 of 2015, as amended by Law No. 43 of 2015 on urgent measures against terrorism, as well as Law Decree No. 210 of 2015, as amended by Law No. 21 of 2016, introduce data-specific retention requirements for CSPs and ASPs, such as Vodafone.
National Security and Emergency Powers
There are a number of provisions allowing the government to take over the management of networks in cases of emergency, such as disaster relief, search and rescue, public protection and national security. Among such provisions, below are the most relevant:
a. Article 11 of Ministerial Decree of 24 January 2013;
b. Article 73 of the Electronic Communications Code;
c. Article 2 of TULPS (Reformed Law on Public Security); and
d. Article 5.2 of Law No. 225 of 1992 on the Civil Protection Service.
Article 11 of the Ministerial Decree of 24 January 2013 provides that CSPs and ASPs must cooperate with the management of a cyber crisis, helping to restore network and communications systems in the event of failure.
Article 73 of the Electronic Communications Code establishes that, in the case of a severe network crash, the Ministry of Communications is entitled to set forth the measures needed for guaranteeing the availability of the public phone network. CSPs and ASPs must implement all the necessary measures for guaranteeing nonstop access to emergency services.
According to Article 2 of TULPS, the Prefect, in urgent situations or state of emergency, is entitled to adopt all the necessary decisions for protecting public order and public security.
According to Article 5.2 of Law No. 225 of 1992 on the Civil Protection Service, after the state of emergency has been declared, the Head of the Civil Defence Department can issue decrees with respect to, among other things, the restoring of strategic network infrastructures.
Oversight of the Use of Powers
In addition to the above, Article 98(3) and Article 32 of the Electronic Communications Code set out sanctions for CSPs/ASPs that do not comply with specific obligations to cooperate with judicial authorities and LEAs in relation to interception operations (eg fines and licence waiver).
In the case of seizure of communications data (eg historical traffic data, communications content) carried out within criminal proceedings, the authorisation and control of the GIP is necessary on the basis of the public prosecutors’ request.
The activity of the intelligence agencies is directly monitored by the Prime Minister and by COPASIR, a special parliamentary committee whose function is to systematically ensure that Italian intelligence agencies operate in compliance with the Constitution and the law.
The judiciary plays no role in the execution of the operational agreements between the intelligence agencies and the CSP/ASP, or in the access operations. However, such agreements are notified to the DIS, and COPASIR is annually informed on the number of accesses to these databases.
In order to have access to communications data (eg historical traffic data, communications content), intelligence agencies need the authorisation of the General Prosecutor before the Court of Appeal.
SHUT-DOWN OF NETWORK AND SERVICES
Legislative Decree No. 259 of 2003 (Electronic Communications Code)
Under Article 96 of the Electronic Communications Code, communications service providers (such as Vodafone) must comply with the requests of the competent judicial authority where this is for the purposes of justice. A list of the type of activities that communications service providers may be required to perform is contained in the s.c. ‘Listino’, adopted with Ministerial Decree No. 14120 of 26 April 2001, pursuant to Article 96(2) of the Electronic Communications Code. Such activities include shutting down the network or some service in a specified area.
Law No. 124 of 2007
Article 13(1) of Law No. 124 of 2007 establishes a general principle whereby communications service providers (such as Vodafone) are required to cooperate with the government intelligence agencies (ie DIS, AISE and AISI) if requested within their institutional scope of work.
The law does not include specific provision allowing – but nor does it prevent – intelligence agencies to interfere with communications network operation without previously requesting their cooperation.
Decree of the Prime Minister of 24 January 2013
The Decree of the Prime Minister (“DPCM”) of 24 January 2013 has established guidelines to ensure cyber security and national security and confirms the crucial role played by “ad hoc agreements” with communication service providers in Article 7, paragraph 5.
However, according to Article 11, all communication service providers (including Vodafone) have to cooperate in cyber crisis management restoring the functionality of systems and networks under their control. Based on such provision, there seems to be some areas where, even without an agreement creating a legal obligation, the communication service providers must cooperate with the public entities for a prompt response to the crisis. The specific cooperation requested of the communication service providers is determined on a case by- case basis.
The regulatory framework designed by Law no.124/ 2007 (as amended by Law no. 133/ 2012) gives a central role to the Prime Minister and to the acts that he can issue based on Article 1, paragraph 3a.
Criminal Procedure Code
Other forms of cooperation – the content of which is not previously determined – may also be imposed by the judicial authorities and the judicial police pursuant to Article 348, paragraph 4 of the Criminal Procedure Code.
BLOCKING OF DOMAIN NAMES AND IP ADDRESSES
Law No. 269 of 1998
Under Article 14-quater of Law No. 269 of 1998, as amended by Law No. 38 of 2006, communications service providers must implement filtering instruments and related technological measures to prevent access to websites containing content featuring child sex abuse. Such filtering instruments and related technological solutions are set by the Ministerial Decree of 8 January 2007 and include the blocking of URLs and IP addresses. The Ministry of Interior includes a department responsible for indicating the websites that must be blocked by communications service providers.
Law No. 296/2006
The Agency of State Monopolies (AAMS, Agenzia delle dogane e dei Monopoli) is responsible for combatting illegal gambling, and it can adopt specific orders forcing communications service providers (such as Vodafone) to implement technological measures that prevent access to illegal gambling websites, such as DNS blocking. The list of illegal gambling sites is provided and regularly updated by the Agency.
Legislative Decree No. 70 of 2003 (“E-Commerce Decree”)
According to Articles 14(3), 15(2) and 16(3) of the E-Commerce Decree, the judicial or administrative authority having controlling functions is entitled to order internet service providers (such as Vodafone) to immediately stop violations that are being committed on the internet.
Italian Criminal Procedure Code (Royal Decree No. 1398 of 1930)
According to Article 321 of the Italian Criminal Procedure Code, in the case of a criminal prosecution, the judicial authority may, at the public prosecutor’s request, order the seizure of a thing (for example, a website) related to the crime, when such a thing is liable to aggravate the crime’s consequences or to determine the commission of other crimes. In urgent cases, the judge’s order may follow an act of seizure, provided it is within 48 hours of the fact taking place.
POWER TO TAKE CONTROL OF VODAFONE’S NETWORK
Law No. 124 of 2007
Depending on the terms of the agreement between the intelligence agency and communications service provider, a communications service provider may be required to hand over control of its network to the intelligence agency in the interests of national security, with the authorisation of the Prime Minister or the judge. Please refer to ‘Shut-down of network and services’ above.
Oversight of the Use of Powers (Censorship-related)
Depending on the authority issuing the order, there could be either judicial or administrative oversight of an authority’s use of its powers under the E-Commerce Decree.
ELECTRONIC COMMUNICATIONS CODE
A request made to a communications service provider to perform one of the activities listed in the ’Listino’ must be made by a competent judicial authority. As a consequence, the exercise of the public powers requesting that cooperation is subject to judicial scrutiny.
LAW NO. 269 OF 1998
The list of websites to be blocked by communications service providers under Law No. 269 of 1998 is maintained by a specific department of the Ministry of Interior. The courts do not have the power to review the Ministry’s use of its powers in this respect.
LAW N. 296/2006
Communications service providers (such as Vodafone) can receive specific communications by the Agency of State Monopolies aimed at removing the filter blocking the access to a given website. The list of the illegal gambling site is provided and regularly updated by the Agency.
ITALIAN CRIMINAL PROCEDURE CODE (ROYAL DECREE NO. 1398 OF 1930)
The order is made by a judicial authority and therefore is subject to judicial review.
Encryption and Law Enforcement Assistance
1. Does the government have the legal authority to require a telecommunications operator to decrypt communications data where the encryption in question has been applied by that operator and the operator holds the key?
Under Italian law, the government has no express legal power to require a telecommunications operator to decrypt communications data. However, there are a number of legal obligations mentioned above (see ‘Provision of real-time lawful interception assistance’ and ‘Disclosure of communications data’) that entail the duty of CSPs to provide authorities with cleartext data, which in practice will include the obligation to decrypt data where Vodafone has control over the encryption and/or has the possibility to access cleartext data.
2. Does the government have the legal authority to require a telecommunications operator to decrypt data carried across its networks (as part of a telecommunications service or otherwise) where the encryption has been applied by a third party?
Italian law does not expressly provide for the government’s legal power to require a telecommunications operator to decrypt data carried on its networks as part of a telecom service where the encryption has been applied by a third party. However, as highlighted in Question 1 above, under Article 96 of the Electronic Communications Code, in the case of legal interception arranged by the judicial authority, a telecommunications operator has an obligation to provide the competent authority with access to cleartext data, in order to allow the hearing of the content and conversations; although there is no obligation if the contents are related to OTT.
Therefore, although the government has no legal authority to require a telecommunications operator to decrypt data carried on its networks, in the context of legal interception, the judicial authority can order a telecommunications operator to provide the relevant data in clear. Practically speaking, the legal obligations mentioned in Question 1 can only require a CSP to provide cleartext data where the CSP has actual control over the encryption and/or has the possibility to access the cleartext data.
3. Can a telecommunications operator lawfully offer end-to-end encryption on its communications services when it cannot break that encryption and therefore could not supply a law enforcement agency with access to cleartext metadata and the content of the communication on receipt of a lawful demand?
Under Italian law, there are no express provisions prohibiting a telecommunications operator from offering end-to-end encryption on its communications services. However, as highlighted in Questions 1 and 2 above, with respect to the obligations under Article 96 of the Electronic Communications Code, in the case of legal interception arranged by the judicial authority, a telecommunications operator has an obligation to provide cleartext data to the relevant authorities, in order to enable lawful interception. In light of that legal obligation, in Vodafone’s view a telecommunications operator would not be able to offer end-to-end encryption to its users where the ability to provide cleartext data would be outside of its control.
4. Please provide examples in this jurisdiction where legislation which predated the advent of commercial encryption (which Vodafone estimates to be circa 1990) has been applied to contemporary cases involving encryption.
Vodafone is not aware of any examples.