Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Parliamentary Joint Committee on Law Enforcement
29/03/2018
Impact of new and emerging information and communications technology

SVANTESSON, Professor Dan Jerker B, Private capacity

Evidence was taken via teleconference—

CHAIR: Welcome. Thank you for talking to us today. The committee has received from you submission No. 3. Do you wish to make any corrections to your submission?

Prof. Svantesson : No.

CHAIR: You're speaking to us from Queensland today—the Gold Coast, I take it?

Prof. Svantesson : Yes.

CHAIR: I hope all the excitement with the Commonwealth Games is going well. Thank you for your time. Could you please make a brief opening statement and give a short synopsis of your submission.

Prof. Svantesson : As you would have seen, my submissions are aimed drawing attention to the importance of securing access to electronic evidence typically held by major internet companies and so on. This is important in the context of cybercrime—that goes without saying—but it's also obvious that more and more evidence sitting in the cloud relates to solving our more traditional crimes, so it's a matter of broad importance. As the companies holding this data are typically located and based overseas, the current model for accessing evidence is via the mutual legal assistance treaty structure. Despite criticism, I don't think anyone is seriously arguing that we should abandon the MLAT structure, as it's referred to. At the same time, I don't think that anyone disputes that we need to improve that structure. Others have researched this much more than me, but just to give an example, work is underway to better coordinate and in a sense simplify the procedure involved in the MLAT structure. One of the issues in the internet setting, when it comes to the mutual legal assistance treaty structure, is that typically you need to know the location of the evidence you want to get. Location, as we know, might not always be easy—or, some would argue, possible—to ascertain when it comes to data. It's widely accepted that we need to supplement the mutual legal assistance treaty structure with some additional channels. Doing so will relieve some of the burden on the MLAT structure and improve its functionality.

The option most people seem to be looking at would provide law enforcement with some form of direct access to data from the relevant internet companies. For that to be a feasible option we need to have sufficient procedural safeguards. It's important to remember that there is absolutely nothing inherent in such a model which precludes appropriate procedural safeguards from being incorporated. For example, we need strong protection for the privacy of those the data relates to. That might include not only the suspect but also anyone who has communicated with the suspect, given the nature of communications data. We also need procedural safeguards to ensure the integrity and reliability of the evidence. The importance of that is also self-evident. One aspect of any new scheme like this would be the procedural safeguards. The other side of the coin is the matter of jurisdiction, which is mainly what I've written about. You often see the idea that if law enforcement in state A is accessing evidence in state B, somehow the sovereignty of state B is violated. That is a far too simplistic way to look at it. It's not the location of the data itself in other settings. I think we can move past that. The underlying problem is too much focus on territoriality as a foundation for jurisdiction at the moment. In my submissions I provide some thoughts on how to move past that while at the same time maintaining some solid grounds for when a country can claim jurisdiction over data.

CHAIR: Your submission goes into detail about the mutual legal assistance treaty schemes we have and the international aspect of cybercrimes. Evidence from other parties to this inquiry has put around 30 to 40 per cent of cybercrimes in Australia as being of international context, which means you still have 60-plus per cent in the Australian context. Then you also have the jurisdictional issues across states. You're making the argument on an international sphere; is there also an argument that we should have much greater coordination of cybercrime policing and enforcement across Australian jurisdictions to start with?

Prof. Svantesson : I imagine that is a necessary step. Whichever step you take first, we need to address all these issues. Any obstacles on a domestic level need to be addressed too, again with the necessity of procedural safeguards always being maintained at the appropriate level.

CHAIR: As others have said, they are traditional crimes of extortion, fraud and harassment, but carried out as cybercrimes across those borders. Would Australia be better placed if we coordinated these activities under one specialist national body, rather than each different state police force with their own separate areas or task forces?

Prof. Svantesson : Crimes in which evidence is located somehow in an electronic setting are going to be investigated from the local police station to being matters coordinated on a federal level. I think we need increased expertise on all levels. More to the point of your question—whether it all should be coordinated on a federal level—I don't have any views there. I just see that this is something we need to address on all of the levels. Any obstacles that are there now in investigating cross-state crimes need to be overcome. Maybe the best approach forward is for more to take place on a federal level. Others are better placed to answer that than me.

CHAIR: You recommended in your submission that Australia consider engaging more actively with the work carried out by the Internet & Jurisdiction Policy Network, of which you're a member. Which countries and law enforcement agencies are members of this network? Does this network advocate for establishing a global convention? Are you aware of any Australian representatives on this network?

Prof. Svantesson : There are many countries taking part in this on different levels. For example, the initial event was hosted by the French government. Earlier this year the second major conference was hosted by the Canadian government. The third one will be by the German government. Obviously these are very active governments, but there are also a lot of governments sending representatives to these meetings and having representatives involved in the more day-to-day work in a sense. At the latest meeting there were over 40 countries represented, many having sent people from various departments and industries. There were people from prosecutor offices and from the police. Looking at the attendance list from the recent meeting in Ottawa I see no-one from the Australian government or police as a sector.

CHAIR: On a separate issue, you've argued:

… we need to move away from territoriality as a core principle of jurisdiction, in favour of a framework that fits better with the world we live in today.

I have a few questions on this. How do you consider that the government should do this? What additional resources are required, if any, to make this change? What legislative changes are required to make this change? What are the risks associated with such a change?

Prof. Svantesson : Let's see if I remember all of those questions.

CHAIR: I'll go through them separately. What do you consider the government should do and what legislative changes may be required?

Prof. Svantesson : This is a matter that needs to be engaged with on a domestic level by way of examining Australian legislation, approaches and so forth to see what can be improved there. It is also a matter then of continuing engaging in the international bodies we are part of and engaging with others—for example, the Internet & Jurisdiction Policy Network that I mentioned. This change is obviously something that takes time. It's something that maybe can't be carried out by just one country, but if no-one starts and takes any steps then obviously nothing will change either. So it needs to be a coordinated effort and, as I said, on both domestic and international levels.

CHAIR: What about additional resources? Is it just a matter of changing priorities and changing focus or do you see substantial additional resources being required in this space?

Prof. Svantesson : There might be obviously resources required for further research and so on, but academics would always claim that we need that, wouldn't we?

It could become an agenda on different department levels to examine what, within their approaches, could be changed. That might not require substantial resources, but it might require bringing this to the surface as an agenda item to be dealt with or examined, at least.

Senator SINGH: I want to ask you a bit more about the cybercrime convention, which, obviously, Australia has acceded to. Firstly, do you think there are any barriers to the Australian government following the convention as it currently stands?

Prof. Svantesson : No. I think the cybercrime convention from the Council of Europe is the main instrument in this field and it's something that Australia should continue to engage with now, but reform work is being carried out in that setting. So Australia should definitely continue to engage with that work.

Senator SINGH: Do you think that, currently, Australian law enforcement is following the principles in that convention?

Prof. Svantesson : I'm not in a place to answer that.

Senator SINGH: Obviously, that convention is coming out of the Council of Europe. Do you think there's scope for there to be a broader international UN-type convention?

Prof. Svantesson : I think it's much more likely there will be success by continuing to work with the Council of Europe instrument rather than trying to replace it, or otherwise work around it with some UN instrument. I think the work that is being done by the Council of Europe is probably the right forum to continue building on, and, of course, attracting more member state countries, to the extent that those new members can live up to the obligations that are involved in being a part of that team.

Senator SINGH: Right. And is that because of the jurisdiction problem you talk about?

Prof. Svantesson : I think the reason I think it's better to continue in this area rather than starting from scratch in the UN is that we have something that is recognised as working. It can be improved, but we have a base instrument to work from. It must be much easier to make progress from that base level rather than starting fresh.

Senator SINGH: Yes, but you do talk about this notion of an outdated territorial thinking in relation to law enforcement access of cloud-stored data et cetera.

Prof. Svantesson : Yes.

Senator SINGH: Do you think this current convention deals enough with some of that?

Prof. Svantesson : It seems to me that the reforms being undertaken now in relation to the cybercrime convention, as in the additional protocols and so on, seem to be going in the right direction. It's too early to say, but there certainly seems to be an appetite to move away from a strict territoriality thinking.

Senator COLBECK: I might follow directly on from that because it's an interesting concept. Effectively, what you're talking about is the virtuality concept of the internet in itself being effectively borderless but being constrained by the borders of the physical world, so to speak?

Prof. Svantesson : Yes.

Senator COLBECK: It's an interesting concept to head down that track, given some of the global political directions at the moment. But, in the context of actually dealing with some of the issues of cybercrime and getting some of those cross-jurisdictional issues dealt with, the concept would be a much easier way of dealing with things if you could deal with all the human elements that sit underneath it. Effectively, what we're trying to address is the concept of data storage sovereignty versus the location where the data storage is physically held.

Prof. Svantesson : Yes. A good example is Facebook, which, for example, has a huge storage facility in northern Sweden. Now, if you say that the data sits on the servers in northern Sweden and it's controlled by Facebook, then the location of that data might not matter particularly much. If the Swedish police want access to the data, they're not going to be able to just go to the data centre and ask for it to be handed over. So the location of the data doesn't help in that setting. They might still have to make a request, I suppose, to Ireland, to pull that data under an MLAT structure today, even though the data sits in Sweden.

So that is an example of where it doesn't make sense to focus on the location in that type of setting. There was a recent case in the US where law enforcement wanted access to data held by Google. In the court, Google made arguments that they cannot at any point in time know exactly where the data sits. This then means that it is impossible to point to a location you should turn to for an MLAT structure. So there are several examples of this, where the focus on location simply doesn't make sense in an online environment. And, quite frankly, I don't understand the argument that, let's say, Sweden's sovereignty would be infringed upon if it were Facebook test data from the Swedish data centre where that data relates to someone in Ireland and all the connecting factors are with Ireland and with an Irish crime being investigated. I don't see Swedish sovereignty being infringed. Sweden might not even be aware that the data sits there. I think that the sovereignty argument is dated.

Senator COLBECK: Although the choice by Facebook to place its data centre there, in Sweden, versus, say, in Russia or in another jurisdiction that might not have, say, such a friendly legal environment, might change that concept, might it not?

Prof. Svantesson : Yes. I think that that actually supports my idea, because as long as we focus on the location of data it's too easy to manipulate that and to place data in a place where you know it's going to be difficult for others to access it—right? So if Australian law enforcement wants to investigate a crime and the criminal is able to avoid that by placing the data on a server in a country that doesn't want to play the game and cooperate, that is another of the flaws associated with a focus on data location.

Senator COLBECK: I suppose that that's effectively what happens now because of our own cross-jurisdictional issues, whereby it's not necessarily easy to access the data unless you have access to a device that gives you direct access through the data host.

Prof. Svantesson : Yes, absolutely. So it's a current problem, I agree.

Senator COLBECK: Okay. Do you have any information on where the bulk of those data-hosting sites are? You just mentioned Facebook in Sweden.

Prof. Svantesson : No, I don't have any data. There are many data centres around the world, and I think that companies are beginning to be quite open about where they have data centres and so on.

Senator COLBECK: Yes, okay—which goes back to the point that I made before, that the locations of those are basically chosen by the companies based on, perhaps, the legal structures in the locations where they sit. I just want to ask you a question around our strength and capacity in data analytics and how important that might be in this space?

Prof. Svantesson : I'm not sure I really understood the question.

Senator COLBECK: Do you have a sense of Australia's strength of capacity in data analytics? It's obviously, from some of the evidence we've already had, an important area. What your thoughts on what we might be able to do there? I'll just go to a submission from Dr John Coyne, who talked about the sheer volume of transactions that are occurring now and the difficulty of law enforcement to sift through all that sort of thing. It's the old story: the best place to hide is in a crowd.

Prof. Svantesson : Yes.

Senator COLBECK: So what is the capacity here in Australia to actually manage that?

Prof. Svantesson : I have no specific insights, but I think it's fair to say that Australia, like just about every other country, is struggling to have law enforcement keep up both with the technical means being used and with the volume. As you say, that is obviously an issue that is very difficult to overcome. But I have no specific figures or anything to add to that debate.

Senator COLBECK: Okay, thank you.

CHAIR: Professor, can you shed any light on why Facebook made the decision to locate their data in northern Sweden?

Prof. Svantesson : There are a variety of factors, I'm sure, but climate is one. Running a big server farm will require a lot of cooling. Obviously in northern Sweden cooling is not a problem in many ways. Factors would have included stability of the political climate and stability of the physical environment—that is, whether it is prone to earthquakes. There would have been a vast set of considerations.

CHAIR: Were there any legal requirements in Sweden regarding the retention of that data that may have affected that decision?

Prof. Svantesson : I don't know. I think that at the time many decisions would have been made there was a uniform law throughout Europe on data retention. You know that was then invalidated and all that, but timing-wise I have no insight on whether that would have been a consideration.

CHAIR: On another subject, with the mutual legal assistance system that we have many submitters to this inquiry have identified difficulties associated with mutual legal assistance and other complications associated with transnational criminal activity. Do you also consider this to be an issue? And how could this possibly be addressed?

Prof. Svantesson : Yes, absolutely. No-one disputes that it is an issue. The MLAT structure is notoriously slow and partly that is because of the inbuilt safeguards. Slowness is not always bad, but clearly if you're investigating a crime and it takes you seven months—the figure of seven months has been tossed around as a rough average—to get access to the evidence it's a serious obstacle for effective law enforcement. Yes, there is absolutely no doubt that improving the MLAT structure is key. As I mentioned initially, that can be done by various things involving improving the actual structure, but it can also be improved by taking some of the burden off the MLAT system and allowing law enforcement access to company data, by direct request to the company, assuming we have sufficient safeguards and so on.

CHAIR: Does that system have any monitoring as to how successful it actually is, the number of prosecutions or the number of offences that were stopped? Is that data available for you to analyse at all or for anyone to analyse?

Prof. Svantesson : Not that I'm aware of. There are some researchers that have focused on matters such as the efficiency of a system, how long it takes and so on, but I'm not aware of any overall figures, and it might very well be that it varies considerably between countries. Certain countries are more used to dealing with these requests than others. And, of course, some countries get a lot of requests, and other countries get very few.

CHAIR: Is there any system in place for sanctions of countries if they are not doing what is considered due diligence in investigation under this system?

Prof. Svantesson : Under the system, I don't know specifically. A lot of treaties might be set up bilaterally and so on, so it might vary in that regard, too. But, under international law, generally there are principles around you cannot use your territory to allow crime directed at other countries and so on. So, on that level, there are principles, but that might go beyond your question.

CHAIR: For example, we often read stories in the papers about people losing money in Nigerian pyramid schemes or various scams where they have sent money—I'm not picking out Nigeria; it's just an example—and anecdotally, it appears that, if you've lost money in that scheme, it's gone, and you have almost zero chance of getting any justice or any recompense for your losses, because perhaps in that country there is a lack of follow-up of law enforcement for various reasons. In the international sphere, is there any method of sanctioning a particular nation if they are seen not to be pulling their weight in these areas?

Prof. Svantesson : Not that I'm aware of within the MLAT structure itself, and I don't know about Nigeria's status. I don't even know, to be honest, whether they are part of the Budapest cybercrime convention, for example. Generally, it would have to be under some sort of agreement where such sanctions could be imposed, unless it's a very serious situation.

CHAIR: Then, when it comes to cybercrime within an international context, does it mean that we can have all the strength of legislation and requirements here and in other countries, but the system's only as strong as its weakest link. If you've got several countries that are sitting outside and closing their eyes to this issue, it breaks down the international system; is that fair to say?

Prof. Svantesson : It is to a degree, but, maybe it could be said it's slightly conflating access to evidence on the one hand and action enforcement on the other. What I've focused my submission on has been the matter of access to evidence. We could very well have a crime taking place in Australia between two Australians with all the connecting factors being Australian. What we need for enforcement is access to the evidence, and the evidence is overseas. But once you get access to the evidence and can prove a crime, then the actual enforcement might not be so much an issue. But you are, of course, completely correct that there is also the other side of the coin, where we have perpetrators overseas that we quite frankly are never going to see go to justice, absolutely.

CHAIR: Are there any follow-up questions? Thank you for your time today. Are there any concluding comments that you would like to make?

Prof. Svantesson : No. That has pretty much covered what I wanted to say.

CHAIR: Again, we thank you for your time and your submission. And let's hope you enjoy the Commonwealth Games over the next fortnight.

Prof. Svantesson : Thank you very much.