PRESS STATEMENT: Privacy International and the Italian Coalition for Civil Liberties and Rights call to Amend DDL Orlando on Hacking
On 15 March 2017, the Italian Senate voted on a Bill, put forward by Justice Minister Andrea Orlando, that will reform the criminal justice system, including amending the Code of Criminal Procedure. Among the many provisions contained in DDL Orlando, currently pending approval by the Italian House of Representatives, the Government is mandated to regulate, via a legislative decree, the utilisation of malware (commonly referred to as ‘Trojans’ in Italian discourse) to engage hacking for criminal investigations. In so doing, the Bill, as currently drafted, provides the Government with some general guidance on what such a decree might entail. The use of hacking by Italian law enforcement is well-documented and, according to one report, has become their “method of choice”. On March 2017 the UN Human Rights Committee expressed concerns about Italy’s practice of hacking and urged the Italian Government to review its legal regime and ensure that any hacking of digital devices is in compliance with Italy’s obligations under the International Covenant on Civil and Political Rights, namely Article 17 on the Right to Privacy.
Privacy International and the Italian Coalition for Civil Liberties and Rights question whether hacking can ever be a legitimate component of state surveillance. First, hacking has the potential to be far more intrusive than any other existing surveillance technique, including the interception of communications. Second, and equally worrisome, hacking has the potential to undermine the integrity, not only of the targeted system, but also of devices and networks as a whole. For these reasons hacking for the purposes of surveillance is, prima facie, incompatible with international human rights law.
Those general concerns notwithstanding, the regulation of hacking powers through public legislation is a necessary first step, if only because the Italian authorities have already been using hacking capabilities without explicit statutory authorization as the Human Rights Committee has rightly criticized. While the DDL Orlando is an opportunity to fill the current legislative gap in the use of hacking for investigative purposes, PI and CILD believe that it falls short of the requirements of existing international human rights law. In particular, the proposal as currently drafted lacks specificity and thus fails to meet the standard of legality, necessity and proportionality, nor does it establish sufficient minimization procedures, effective oversight, or safeguards from abuse.
Privacy International says that “Hacking is one of the most intrusive surveillance techniques available, and we must be very wary of giving governments the power to remotely and secretly access our phones, computers and other electronic devices. It is worth noting that so far the Italian government has not made a convincing case as to how their hacking law complies with international human rights law.”
CILD adds: “We should be very cautious about legislating on new technologies. Without the proper safeguards, the new standards introduced by the bill will have a dangerous impact on the freedom and privacy of all of us, while not even providing greater investigative powers when it comes to serious crimes.”
We thus urge the Italian House of Representatives to move to amend the hacking provisions contained in the DDL Orlando in order to bring them in line with international human rights standards.
Privacy International’s complete legal analysis of the hacking provisions in the DDL Orlando and its shortcomings is available at: https://www.documentcloud.org/documents/3728074-Privacy-International-s-Analysis-of-the-Italian.html