g-docweb-display Portlet

Interception of Communications by Judicial Authorities: Enhanced Security Measures To Be Implemented

Stampa Stampa Stampa
PDF Trasforma contenuto in PDF

versione italiana

Interception of Communications by Judicial Authorities: Enhanced Security Measures To Be Implemented

The Italian Data Protection Authority has set out measures and arrangements public prosecutor´s offices in Italy will have to implement in order to enhance the security of any personal data they collect and use as part of intercepted communications.

The Decision by the Italian DPA (web doc. No. 2551507) followed a fact-finding survey the DPA had started last year on a sample of medium-sized public prosecutor´s offices in Italy (Bologna, Catanzaro, Perugia, Potenza, Venice). The survey was aimed to assess the technological and organizational measures that were applied by those judicial offices when carrying out telephone wiretapping or the interception of Internet and electronic communications. Security measures had been already imposed on the electronic communications service providers that forward intercepted data to the judicial authorities requesting such data.

The findings of the survey showed a medley patchwork of situations, which made it necessary to step in so as to enhance the security of both data and data management systems by applying the relevant measures to all public prosecutor´s offices; in this manner, data protection measures would be harmonized also in the light of the continuously evolving electronic communications technologies as well as of the possible risks arising from the use of IT tools.

"It is especially important to protect the personal information that is collected and used as part of intercepted communications because of the effects the misuse of such information may produce both on the dignity and rights of the intercepted individuals and of any individuals communicating with them and  on the expected effectiveness of the investigation", said Mr. Antonello Soro, President of the Italian DPA.

Accordingly, the Italian DPA required public prosecutor´s offices to implement several stringent measures within 18 months as of publication of its decision in Italy´s Official Journal [Gazzetta Ufficiale]. The measures in question concern both the "Telecommunications Interception Centres" [Centri Intercettazioni Telecomunicazioni, CIT) operating at each public prosecutor´s office and the police offices tasked by judicial authorities with performing interceptions.

Physical Security Measures

In order to access the listening rooms at public prosecutor´s offices, the premises hosting the servers where intercepted telephone or Internet communications are stored or the premises hosting the receiver equipment of such communications, individually allocated badges associated with a numerical code (only known to the individual data subject) or biometrics-based devices will have to be used. All accesses will have to be logged. The technical staff in charge of maintenance or technical interventions will have to be authorized beforehand by the individual public prosecutor´s office. Such technical staff will only be allowed to access the data, information and records that are absolutely necessary for their maintenance activities. CCTV cameras will have to be in operation.

IT Security Measures

The systems and servers used for interception activities will only be accessed by operators (including system administrators) from dedicated workstations on the basis of strong authentication procedures. Such workstations will have to be connected with firewall-protected networks.

All the operations performed as part of interception activities – such as listening, browsing, recording, duplicating and storing information, making transcripts of intercepted communications, maintenancing of systems, destroying records and media – will have to be logged via IT techniques that can ensure non-alterability of such logs.

Mastering and duplication of intercepted contents may only be performed where indispensable by duly authorized staff. Records copied to removable media (e.g. CD-ROMs) will have to be protected via encryption. Containers or envelopes used to carry such media may not bear any information that can allow unauthorised third parties to infer or deduce the scope of the interception.

Only judicial police staff may be relied upon to deliver media and paper records (including transcripts) to judicial authorities.

Soundtracks, any other type of collected information and backup copies will have to be stored in encrypted format. Data extraction may only be performed by way of cryptographic procedures.

All data will be exchanged between judicial authorities and Internet service providers via secure network protocols in encrypted format. The intercepted electronic communications – IP-address flows, e-mails – will have to be transmitted from the interception access point on the provider´s network to the receiver equipment at a CIT in encrypted format as well.

"Roaming" of Interceptions

As regards the so-called "roaming" of interceptions - i.e. the re-routing of intercepted communication flows from the CITs at public prosecutor´s offices to the judicial police offices tasked with such interceptions - the physical and IT security measures to be deployed in the premises used for listening to and recording such flows will have to be the same as those applying to CITs.

The links between public prosecutor´s offices and the relevant police offices will consist in dedicated "point-to-point" connections or else be based on secure networks (e.g. VPNs).

Finally, the Italian DPA drew the Ministry of Justice´s attention to the need for making available the necessary resources in order for public prosecutor´s offices to fully implement the measures set forth in its decision – which "is part of a broader exercise to enhance security of citizens´ personal data vis-à-vis all public administrative bodies", as recalled by Mr. Soro.

Rome, 24 July 2013