The Italian Senate on March 15 voted on a bill, put forward by Justice Minister Andrea Orlando, that will reform the criminal justice system, including amending the Code of Criminal Procedure.
Among the many privacy provisions contained in the bill, known as DDL Orlando, is a provision allowing the government to regulate, through legislative decree, the use of malware to engage in hacking for the purpose of a criminal investigation.
One important feature of the bill, which is currently under consideration by the Chamber of Deputies, is the inclusion of guidance on what such a decree could entail, as the use of hacking by Italian law enforcement agents is well documented. According to one report, it has become their investigative "method of choice."
In March 2017, the UN Human Rights Committee expressed concerns about Italy’s practice of hacking and urged the government to review its legal regime and ensure that any hacking of digital devices is in compliance with Italy’s obligations under the International Covenant on Civil and Political Rights, namely Article 17 on the right to privacy.
Hacking as part of state surveillance
"Hacking is one of the most intrusive surveillance techniques available, and we must be very wary of giving governments the power to remotely and secretly access our phones, computers and other electronic devices. It is worth noting that so far the Italian government has not made a convincing case as to how their hacking law complies with international human rights law," commented Privacy International.
First, hacking has the potential to be far more intrusive than any other existing surveillance technique, including the interception of communications. Second, and equally worrisome, hacking has the potential to undermine the integrity of not only the targeted system, but also of devices and networks as a whole.
For these reasons, hacking for the purposes of surveillance seems, at first glance, incompatible with international human rights law.
Common in Italy
Those general concerns notwithstanding, the regulation of hacking powers through public legislation is a necessary first step, if only because the Italian authorities have already been using hacking capabilities without explicit statutory authorization, which the Human Rights Committee rightly criticized.
While DDL Orlando is an opportunity to fill the current legislative gap in the use of hacking for investigative purposes, Privacy International and the Italian Coalition for Civil Liberties and Rights believe that it falls short of the requirements of existing international human rights law.
In particular, the proposal as currently drafted lacks language that is clear and specific, and thus fails to meet the standard of legality, necessity and proportionality. It also does not establish sufficient procedures minimize what hacking is carried out, nor does it establish effective oversight or safeguards from abuse.
"We should be very cautious about legislating on new technologies. Without the proper safeguards, the new standards introduced by the bill will have a dangerous impact on the freedom and privacy of all of us, while not even providing greater investigative powers when it comes to serious crimes," Privacy International says.
We thus urge the Italian House of Representatives to move to amend the hacking provisions contained in DDL Orlando in order to bring them in line with international human rights standards.
Privacy International’s complete legal analysis of the hacking provisions in the DDL Orlando and its shortcomings is available here.