IDP2013 (V): Criminal Law

Notes from the 9th Internet, Law and Politics Congress: Big Data: Challenges and Opportunities, organized by the Open University of Catalonia, School of Law and Political Science, and held in Barcelona, Spain, on 25-26 June 2013. More notes on this event: idp2013.

Moderadora: María José Pifarré. Lecturer, School of Law and Political Science (UOC).

Digital Surveillance and Criminal Investigation: Blurring of Thresholds and Boundaries in the Criminal Justice System?
John Vervaele. Full time professor of economic and European criminal law at Utrecht Law School (the Netherlands) and Professor of European criminal law at the College of Europe in Bruges (Belgium)

Criminal law is about prosecuting suspects of alleged crimes. To do saw, some agents have coercive and sanctioning power. Within some boundaries and thresholds, which are utterly important. One of them is the jurisdiction to investigate. Only judicial authorities can investigate — or policial authorities under the supervision of judicial authorities. To investigate there must be suspicion, suspicion under a threshold for that: reasonable suspicion, probable cause, indices of criminality… The more the coercive the measure, the higher the threshold. And, very important, those are reactive measures, always ex-post, after a crime has been committed.

But there has been a paradigm change within criminal law itself.

The criminal justice tools/system are more and more used not to combat committed crime, but to prevent not only crime but even risks and threats. That is, to fight for security. Security is legitimating this change of paradigm. On the other hand, under new regulatory statutes, security agencies are being entitled with the powers of criminal justice.

What about the protective side of criminal justice? Protecting security has to be balanced with rule of law and other human rights. And the more the need (the “more security we need”), the lower the thresholds required to pursue criminal investigations. So low, that we have even shifted towards ex-ante actions, towards acting based on suspicions or risks or threats against security. Now, in this new paradigm, criminal justice-like powers are fighting to prevent the commission of crime, not to prosecute the actual commission of crime.

Plus, the Information Society has also influenced criminal justice and criminal investigation.

Having data before any criminal investigation is due, is very important. So, we have gone even further behind the suspicion that a crime will be committed, and we now gather data just in case. We now want to predict behaviour.

Summing up, we have gone from realinzing that a crime has been committed, investigating it and, thus, needing to gather data; to gathering data just in case, perform active surveillance (just in case too), and, in the end, trying to predict a threat that a crime could be committed (before it is actually or ever committed).

The combination of the change of paradigm and the influence of the Information Society on Criminal Law and Criminal Investigation is a major upheaval in the discipline. And it is a fact that this major upheaval is not restricted to national security, but is spreading to all other criminal offences.

New challenges for the protection of privacy in the age of the cloud.
Ivan Salvadori. Professor of Criminal Law and Criminal Computer Law at the University of Barcelona and Postdoctoral Researcher at Università di Verona (Italy)

Many threats of cloud computing: identity theft, computer damages, abusing private information, data theft, hacking/cracking, DDoS attacks, etc.

Entering an information system without permission, and breaking security measures, has been qualified as a criminal act.

The problem with some laws concerning illegal access to information systems is that e.g. employees of cloud servers or insiders will “never” actually break any security measure. But it can be addressed as “remaining” (too much) in the system beyond the managing needs.

In the same line, appropriation and illicit diffusion of codes for accessing information systems (e.g. cracking and distributing passwords) has also been considered crime in several regulation systems.

So, we do not need much more tools than the ones we already have to prevent or punish misuses of data in the cloud or illicit access to cloud systems.

The reform of the European regulation on privacy protection aims at providing a common frame for all these aspects, taking into account access to information, right to be forgotten, etc.


Chris Marsden: do we find any historical precedent on this shift on criminal law or criminal investigation? Vervaele: I don’t think there is a recent precedent in such an increasing (con)fusion between the legislative, the judicial and the executive powers, at least not in the modern era.

Julián Valero: is it legitimate the delegate all data and all data management to third parties? Salvadori: depending of the law, this delegation could imply an abandonment of responsibilities and, thus, could be punished by the law. Vervaele: maybe the concept itself of “privacy” is obsolete, and we should begin to speak about “informational self-determination”.

9th Internet, Law and Politics Conference (2013)