Provision of Real-time Lawful Interception Assistance

SECURITY SERVICE ACT

Under the Security Service Act (Chapter 391) of the Laws of Malta, the Security Service of Malta can obtain authorisation for interception or interference with communications by means of a warrant issued by the Minister responsible for the Security Service (the Minister).

Article 3 of Chapter 391 states that the function of the Security Service will be to protect national security, in particular against threats from organised crime, espionage, terrorism and sabotage, against the activities of agents of foreign powers and against actions intended to overthrow or undermine parliamentary democracy by political, industrial or violent means. Furthermore, the Security Service will act in the interest of the economic well-being of Malta and public safety, particularly in relation to the prevention or detection of serious crime.

Chapter 391 does not provide for a definition of ‘serious crime’.

Chapter 391 defines ‘interception’ as ‘in relation to a warrant, the obtaining possession of, disrupting, destroying, opening, interrupting, suppressing, stopping, seizing, eavesdropping on, surveilling, recording, copying, listening to and viewing of communications and the extraction of information from such communications’.

According to Chapter 391, following a request made by the Security Service, the Minister may issue a warrant authorising the taking of such action as is specified in the warrant in respect of any communications. The warrant must be issued under the hand of the Minister or in an urgent case where the Minister has expressly authorised its issue, and a statement of that fact is endorsed by the hand of a senior government official who is a Permanent Secretary or the Cabinet Secretary.

Warrants are generally valid for six months (if issued by the Minister) or two days (if not issued by the Minister). Warrants may be modified or cancelled by the Minister at any time. The Minister can also extend their validity for a further six months.

ELECTRONIC COMMUNICATIONS NETWORK AND SERVICES (GENERAL) REGULATIONS

Under the conditions contained in the authorisation issued by the Malta Communications Authority to Vodafone pursuant to the Electronic Communications Networks and Services (General) Regulations (SL 399.28), Vodafone, as an authorised undertaking, has an obligation to comply with all requirements related to legal interception and data retention as may be established under the Electronic Communications (Regulation) Act (Chapter 399) or any other law.

To this date, no specific laws have been published in relation to the obligation of authorised undertakings to assist in implementing interception capabilities. However, authorised undertakings are required to assist law enforcement agencies, most notably the Security Service, in implementing interception capabilities on their networks and this is part of their authorisation conditions even though no specific law to this effect exists. Chapter 391 provides for warrants related to interception and not to any specific obligations on the network providers.

Article 86 of SL 399.28 states that the Malta Communications Authority will define the technical and operational requirements necessary to enable legal interception of electronic communications by the competent authorities in accordance with any law allowing and regulating such legal interception, provided that in doing so, the Malta Communications Authority will give reasons for the technical and operational requirements it defines and will seek to ensure that any expenses that undertakings may have to incur in order to meet any requirements it establishes are reasonable and justified.

Therefore, while no direct legal provision exists relating to the obligation of authorised undertakings to implement interception capabilities on their networks, the authorised undertakings have a legal obligation to fund the infrastructure used for such activities.

Disclosure of Communications Data

PROCESSING OF PERSONAL DATA (ELECTRONIC COMMUNICATIONS SECTOR) REGULATIONS

Disclosure of metadata is governed by Part II of the Processing of Personal Data (Electronic Communications Sector) Regulations (SL 440.01).

Disclosure of metadata is to be made by service providers of a publicly available electronic communications service or of a public communications network, in an intelligible form and only to the Police or the Security Service.

Regulation 20 of SL 440.01 provides for the disclosure of the following types of data which are traditionally considered metadata:

1. Data necessary to trace and identify the source of a communication:

a. concerning fixed network telephony and mobile telephony:

– the calling telephone number; and

– the name and address of the subscriber or registered user;

b. concerning internet access, internet email and internet telephony:

– the user ID allocated;

– the user ID telephone number allocated to any communication entering the public telephone network; and

– the name and address of the subscriber or registered user to whom an Internet Protocol (IP) address, user ID or telephone number was allocated at the time of the communication.

2. Data necessary to identify the destination of a communication:

a. concerning fixed network telephony and mobile telephony:

– the telephone number or numbers dialled or called and, in cases involving supplementary services such as call forwarding or call transfer, the number or numbers to which the call is routed; and

– the name and address of the subscriber or registered user;

b. concerning internet email and internet telephony:

– the user ID or telephone number of the intended recipient of an internet telephony call; and

– the name and address of the subscriber or registered user and user ID of the intended recipient of the communications.

3. Data necessary to identify the date, time and duration of a communication

a. concerning fixed network telephony and mobile telephony, the date and time of the start and end of the communication;

b. concerning internet access, internet email and internet telephony:

– the date and time of the log-in and log-off of the internet access service, based on a certain time zone, together with the IP address, whether dynamic or static, allocated by the internet access service provider to a communication, and the user ID of the subscriber or registered user; and

– the date and time of the log-in and log-off of the internet email service or internet telephony service, based on a certain time zone.

4. Data necessary to identify the type of communication:

a. concerning fixed network telephony and mobile telephony, the telephone service used; and

b. concerning internet email and internet telephony, the internet service used.

5. Data necessary to identify users’ communication equipment or what purports to be their equipment:

a. concerning fixed network telephony, the calling and called telephone numbers;

b. concerning mobile telephony:

– the calling and called telephone numbers;

– the International Mobile Subscriber Identity (IMSI) of the calling party;

– the International Mobile Equipment Identity (IMEI) of the calling party;

– the IMSI of the called party;

– the IMEI of the called party; and

– in the case of pre-paid anonymous services, the date and time of the initial activation of the service and the location label (Cell ID) from which the service was activated;

c. concerning internet access, internet email and internet telephony:

– the calling telephone numbers for dial-up access; and

– the digital subscriber line or other end point of the originator of the communications.

6. Data necessary to identify the location of mobile communication equipment:

a. the Cell ID at the start of the communication; and

b. data identifying the geographic location of cells by reference to their Cell IDs during the period for which communications data are retained.

According to Regulation 19 of SL 440.01, metadata is to be disclosed to the Police or the Security Service where such data is required for the investigation, detection or prosecution of a serious crime.

SL 440.01 defines ‘serious crime’ as any crime which is punishable by a term of imprisonment of not less than one year and, for the purposes of SL 440.01, includes the crimes mentioned in Articles 48(1)(d) and 49 of Chapter 399.

A request for data is to be made in writing and will be ‘clear and specific’, but if the data is urgently required, such a request is made orally; however, a written version of the request will be made at the earliest opportunity.

Regulation 18(1) of SL 440.01 provides that there is no legal obligation on providers of publicly available electronic communications services or of a public communications network to retain data revealing content of any communication.

CRIMINAL CODE

Furthermore, Article 355AD of the Criminal Code (Chapter 9) provides that any person who is considered by the Police to be in possession of any information or document relevant to any investigation has a legal obligation to comply with a request from the police to attend at a police station to give, as required, any such information or document, provided that no person is bound to supply any information or document which would incriminate them.

If information is provided in accordance with Article 355AD, the Police may, orally or by a notice in writing, require any person to attend at the police station, or other place indicated by them, to give such information and to produce such documents as the Police may require and if that person does attend the police station or place indicated to them, they will be deemed to have done so voluntarily. The written notice will contain a warning of the consequences of failure to comply, namely that the person will be guilty of a contravention punishable with detention and will be liable to be arrested immediately under warrant. The written notice may be served with urgency in cases where the interests of justice so require.

National Security and Emergency Powers

EMERGENCY POWERS ACT

Under the provisions of the Emergency Powers Act (Chapter 178), following a declaration by the President of Malta of a state of public emergency, the President of Malta, acting on the advice of the Prime Minister, may make such regulations as appear to him or her to be necessary or expedient for securing the public safety, the defence of Malta, the maintenance of public order and the suppression of mutiny, rebellion and riot, and for maintaining supplies and services essential to the life of the community, subject to the provisions of the Constitution of Malta. Such regulations (in accordance with Article 4(2) of Chapter 178) can include authorising taking possession or control on behalf of the government of any property or undertaking as well as providing for amending any law or suspending the operation of any law and for applying any law with or without modification. Such regulations will expire and cease to have effect after two months unless approved by a resolution of the House of Representatives (Article 6(1) of Chapter 178). These regulations may also be amended and revoked at any time by resolutions passed by the House of Representatives (Article 6(2) of Chapter 178).

CIVIL PROTECTION ACT

Under the Civil Protection Act (Chapter 411), in situations of emergency, disaster or other operation covered by Chapter 411, the Commander as appointed by Chapter 411 or the Director or highest ranking officer of the Assistance and Rescue Force may, among other things, order the immediate requisition of any movable or immovable thing, which is indispensably necessary in his or her judgement for any operation, subject to a right of compensation by the owner.

Oversight of the Use of Powers

Chapter 391 does not provide for judicial oversight. However, Chapter 391 establishes the post of a Commissioner who will keep under review, among other things, the exercise by the Minister responsible for the Security Service of powers to issue warrants.

The Information and Data Protection Commissioner is responsible for the compliance and enforcement of SL 440.01. Aggrieved persons can request his or her intervention. Any decision by the Information and Data Protection Commissioner may be contested in front of the Data Protection Appeals Tribunal.

The Information and Data Protection Commissioner may consult and seek advice of the Malta Communications Authority.

Subject to the Constitution of Malta, regulations issued under Chapter 178 can be revoked by resolution passed by the House of Representatives.

Censorship-related Powers

SHUT-DOWN OF NETWORK AND SERVICES

Emergency Powers Act

Under Chapter 178 of the Emergency Powers Act, following a declaration by the President of Malta of a state of public emergency, the President, acting on the advice of the Prime Minister and subject to the provisions of the Constitution of Malta, may make such regulations as appear to him or her to be necessary or expedient for:

• securing the public safety;
• securing the defence of Malta; maintaining public order;
• suppressing mutiny, rebellion or riot; and/or
• maintaining supplies and services essential to the life of the community.

Under Article 4 of Chapter 178, such regulations can include authorising the government to take possession or control of property or undertakings; it is possible that this could include Vodafone’s network equipment. It is feasible that, once in possession or control of Vodafone’s network equipment, the government might use its powers to shut the network or services down.

BLOCKING OF URLS & IP ADDRESSES

Emergency Powers Act

The government does not have the legal authority to block URLs or IP addresses. However, should the government take possession or control of Vodafone’s network or services under the Emergency Powers Act, it would able to use that power to block URLs and IP addresses.

POWER TO TAKE CONTROL OF VODAFONE’S NETWORK

Emergency Powers Act

Under the Emergency Powers Act, the President has the power to control Vodafone’s network where he or she has declared a state of public emergency. See ‘Shut-down of network and services’ above for more details about this power.

Oversight of the Use of Powers (Censorship-related)

EMERGENCY POWERS ACT

Under Article 6(1) of the Emergency Powers Act, the regulations which the President is empowered to make under Article 4 expire after two months unless approved by a resolution of the House of Representatives. Under Article 6(2), such regulations may also be amended and revoked at any time by a resolution passed by the House of Representatives.

Encryption and Law Enforcement Assistance

1. Does the government have the legal authority to require a telecommunications operator to decrypt communications data where the encryption in question has been applied by that operator and the operator holds the key?

There is no express obligation at law through which the government can require a telecommunications operator to decrypt communications data where the telecommunications operator has applied the encryption itself, and Maltese law does not contain any specific provision regarding the decryption of telecommunications data.

However, Article 355AD of the Criminal Code, Chapter 9 of the Laws of Malta provides that:

4 Any person who is considered by the police to be in possession of any information or document relevant to any investigation has a legal obligation to comply with a request from the police to attend at a police station to give as required any such information or document:

Provided that no person is bound to supply any information or document which tends to incriminate him.

If the services provider can decrypt the said information, one may assume that the Police might also try to extend the applicability of Article 355AD in these situations. However, no legal precedent exists and it will be at the discretion of the court to accede or otherwise to a wide interpretation of this clause that may be attempted by the Police.

In addition to the above, Article 355Q of the same Criminal Code also provides that:

355Q. The Police may, in addition to the power of seizing a computer machine, require any information which is contained in a computer to be delivered in a form in which it can be taken away and in which it is visible and legible.

While it is noted that there is no explicit reference to decryption in this article, there is nothing stopping the Maltese Police from seizing servers containing encrypted communication data and subsequently asking the telecommunications operator to provide such data in a form which is ‘visible and legible’. This assumes, however, that the Police would not focus on the obtaining of the information itself, but more specifically on the computer (or server) on which such information is stored.

Moreover, reference is also made to Article 19(1) and (2) of SL 440.01 Processing of Personal Data (Electronic Communications Sector) which, similarly to the Criminal Code, also provides that data retained by electronic communications service providers which is required by the Police or the Security Service for the prevention of serious crime will be provided to such authorities ‘in an intelligible form and in such a way that it is visible and legible’. This also implies that the telecommunications operator may be required to decrypt data for such authorities.

2. Does the government have the legal authority to require a telecommunications operator to decrypt data carried across its networks (as part of a telecommunications service or otherwise) where the encryption has been applied by a third party?

As explained above there are no Maltese law provisions which specifically deal with the decryption of data. In Vodafone’s view, because lawful interception (LI) is performed directly by government, if the government needed to decrypt encryption applied by a third party, it would approach the third party directly. Vodafone would not expect government to ask the telecommunications operator to assist with breaking the encryption when the telecommunications operator lacks the technological capacity to do so.

3. Can a telecommunications operator lawfully offer end-to-end encryption on its communications services when it cannot break that encryption and therefore could not supply a law enforcement agency with access to cleartext metadata and the content of the communication on receipt of a lawful demand?

Yes. Maltese law is completely silent on this matter and therefore Vodafone believes that this would not be in breach of the telecommunications operator’s existing law enforcement obligations.

4. Please provide examples in this jurisdiction where legislation which predated the advent of commercial encryption (which Vodafone estimates to be circa 1990) has been applied to contemporary cases involving encryption. 

There are no examples of this sort in the Maltese jurisdiction.