< FINAL: May 24 >

G8 Government / Industry Conference on High-Tech Crime Tokyo, May 22-24, 2001

Report of Workshop 2: Data Preservation

A. Definition.

The following definition of data preservation was used for purposes of discussion in this workshop. Definitions and other text from the draft Council of Europe Cybercrime Convention and its accompanying Explanatory Memorandum were likewise helpful to the group's work.

1. Upon lawful request by competent authority
2. based on the facts of a specific case
3. specified historical data
4. can be preserved to prevent its deletion
5. pending issuance of a lawful request by competent authority to disclose the data.
   • not future collection of data.
   • not creating new obligations on providers to generate data not already in existence.

B. Operational Model for Discussion of Cross-Border Investigations.

For discussion of cross-border investigations, the workshop used a model for data preservation requests where a competent authority in one country would correspond, via their own government, with a competent authority in a second country. The second country would review the appropriateness of the request and craft a preservation request under the laws of that second country. When formal request for disclosure is transferred subsequently, the second country would review the issues relating to disclosure and may, if appropriate, pass the preserved data to the requesting country.

C. Conflicts of Laws and Jurisdictional Issues.

Participants discussed whether and to what extent conflicts of laws and jurisdictional issues can hinder a provider in complying with a request for preservation. Some participants commented that a lawful notice or request issued by a competent authority could override data protection provisions that otherwise prohibit retention of certain data. At the same time, other laws can require a provider to reveal to the subject of the preservation request the fact that information concerning the subject has been passed or preserved. This can have the unintended consequence of alerting a criminal to the existence of an investigation.

Individual countries with data protection regimes can have different authorized uses justifying the collection of data: for example, for billing purposes only; for law enforcement requests in support of investigations; and for provider protection of property or provider protection against fraud and network abuse. Disparities of this nature among countries can create uncertainties for providers who operate across borders.

In cross-border investigations, requirements for dual criminality (or any domestic criminality) also vary. Some countries can provide preservation where the communication merely passes through its territory, without violating any domestic laws. Other countries may require a violation of its own laws to proceed with preservation. There may be public policy issues with complying with the initial request or the disclosure, depending upon the offense and the country concerned.

Compliance with a preservation request can also impact contractual obligations, public commitments, or company policies a provider may have, such as the agreement to provide anonymity services.

D. List of Issues to be Considered in a Legal Framework for Data Preservation.

Participants drafted a list of issues that could be considered in any current or possible future legal framework for data preservation. That document is attached to this report.

E. Law Enforcement Best Practices for Preservation Requests.

Participants suggested a number of best practices for law enforcement requests for preservation of data, which included:

1. requests by law enforcement should be limited in scope to the extent possible;
2. requests should be articulated in precise and understandable language;
3. requests should incorporate reasonable limits on length of time for preserved data to be maintained;
4. where possible, electronic requests (e.g., by e-mail) should incorporate appropriate authentication techniques;
5. within individual countries, formats for preservation requests should be standardized, in order to minimize the need for analysis by providers;
6. law enforcement should consider the availability and usefulness of investigative means other than preservation, and of using publicly available data;
7. domestic law enforcement should review and screen incoming foreign requests before making a related request to a domestic provider;
8. in cross-border investigations, consider representations from providers concerning potential conflicts of laws, and potential foreign liability for providers;
9. have domestic law enforcement issue domestic preservation requests to providers, where the intial request comes from a foreign jurisdiction;
10. consider, where possible, having a preservation order issued in the jurisdiction where the data is stored;
11. oral requests for preservation, where permitted, should be followed with written confirmation;
12. requests should be revoked if the competent authority learns that process for disclosure will not, in fact, follow; and
13. requests should state what sanctions, if any, are applicable for non-compliance with the request.

F. Law Enforcement Preservation Checklist.

Participants drafted a "checklist" for law enforcement to use in considering and crafting a request for preservation. A completed checklist is not intended for transmission to a provider or for any other use outside of the law enforcement agency. It is intended to assist law enforcement in making concise, practical, and reasonable preservation requests. That document is attached to this report.

G. Industry Responses to Law Enforcement Preservation Requests.

Participants suggested a number of best practices for industry responses to law enforcement requests for preservation of data, keeping in mind the variations in size and resources of individual providers. These include:

1. industry response should be prompt and reliable;
2. industry associations can be used to develop and disseminate information to, and provide training for ISPs, e.g., to explain legal obligations under international agreements and conventions.
3. industry should share best practices broadly;
4. an organization should give careful consideration to where the responsibility for responses resides, and develop expertise within this responsibility area;
5. providers should have a plan to address disputes concerning preservation requests;
6. industry should provide input to law enforcement concerning the process for making requests;
7. to the extent practical, providers should identify and publicize designated operational points of contact to receive and respond to law enforcement requests; and
8. where possible, provider POCs should incorporate authentication techniques, including, for example, digital signatures and cryptography.

H. Areas for Future Work.

1. Consider models for dispute resolution and other procedural issues in relation to preservation orders.
2. With respect to preservation orders, consider mechanisms for providers to have the ability to confidentially consult with and receive advice from trade associations.
3. Opportunities for outreach to non-G8 countries must be developed, in order to share expertise and work product developed on this topic.
4. Discuss trends in technology and the related impact on preservation regimes.
5. Examine industry costs associated with responding to preservation requests.
6. Examine the applicability of preservation requests to transient or "ephemeral" data in order to provide network "trap and trace" information (real-time or historical) where "ephemeral" data is data held within the network for network management, such as network address translation tables and routing tables.
7. Devote time to the topics of real-time tracing, and "preservation and partial disclosure" (for instances where a communication traverses three or more countries), which were discussed at the Berlin Workshop.

[END]