PROVISION OF REAL-TIME LAWFUL INTERCEPTION ASSISTANCE
Real-time lawful interception forms part of the criminal investigation powers of the “law enforcement agencies” i.e. Police, Carabinieri, Tax Police and other authorised agencies: (“LEAs”), as authorised by the competent judge.
ITALIAN CRIMINAL PROCEDURE CODE
Interceptions within criminal proceedings (sections 266 to 271 of Italian Criminal Procedure Code): in proceedings related to certain crimes listed in section 266 (eg. bribery and corruption, crimes punished with imprisonment up to 5 years, etc.), the public prosecutor is entitled to ask the judge of the criminal investigation (“GIP”) to authorise real-time interceptions, if there are serious suspicions and interception is necessary for the collection of evidence. In matters of urgency, the public prosecutor can directly authorise interceptions but the GIP shall make use of such authorisation within 72 hours. Interception orders are granted for 15 days, renewable for another 15 days (section 267 of the Italian Criminal Procedure Code). Real-time interceptions can be also authorised for electronic and telematics communications (section 266 of the Italian Criminal Procedure Code).
IMPLEMENTING PROVISIONS OF THE CRIMINAL PROCEDURE CODE
Preventive interceptions by LEAs (section 226 of Legislative Decree n. 271 of 1989): for the purpose of preventing crimes by criminal associations and international terrorism organisations, the Minister for Home Affairs or, where delegated by the latter, the Head of IT Department of an LEA or, in certain cases, the Head of Anti-Mafia Investigation Department, are entitled to ask the public prosecutor to authorise real-time interceptions. Interceptions orders are granted for 40 days, renewable for a further 20+20 days.
LEGISLATIVE DECREE N. 144 OF 2005, AS AMENDED BY LAW N.133 OF 2012
Preventive interceptions by intelligence agencies (section 4 of Legislative Decree n. 144 of 2005, as amended by Law n. 133 of 2012): the Prime Minister and, where delegated by the latter, the heads of Italian intelligence agencies (i.e. AISE and AISI) are entitled to ask the public prosecutor of Rome Court of Appeal to authorise interceptions for preventing crimes by criminal associations and international terrorism organisations or, more generally, in the interest of national security. The public prosecutor can authorise the requested interceptions through a reasoned decision. Interception orders are granted for 40 days renewable for further 20+20 days.
Given the legal framework described above, the relevant legislation regulating technical interception capabilities are the following:
Legislative Decree n. 259 of 2003 (“Electronic Communications Code”) prescribes that communication service providers (“CSPs”: i.e. Vodafone) shall comply with any order for interceptions issued by judicial authorities by agreeing with the LEAs over the terms and formalities of their performance.
On December 15, 2005 the Italian Privacy Authority (on the basis of the powers conferred to it by Legislative Decree no. 196 of 2003, “Data Protection Code”) issued specific Guidelines, prescribing to CSPs a number of security measures with respect to mechanisms adopted by the CSPs for carrying out the interceptions.
ELECTRONICS COMMUNICATION CODE
As a general rule, section 96 of the Electronic Communications Code provides for the obligation of CSPs to render assistance and provide information to judicial authorities and LEAs in relation to interception operations for the purposes of justice and public security. Pending the adoption of the Repertorio provided for by article 96 (2) (i.e. a detailed catalogue of mandatory interception services and technical standards which has never been formally adopted although a draft of it is accessible by telecom operators) technical capabilities are from time to time agreed between the CSPs and public prosecutor/LEAs.
ITALIAN PRIVACY AUTHORITY’S GUIDELINES
The Italian Privacy Authority’s Guidelines of December 15, 2005 oblige CSPs to implement a number of organisational and security measures in respect of lawful interception and the exchange of information with LEAs, judicial authority and intelligence agencies.
The main security measures prescribed by the Italian Privacy Authority are the following:
- Organisational aspects of security:
- adoption of an organisational model to limit the knowledge of personal information processed;
- appointment of the persons in charge of the data processing, including a control of the authentication systems and the access to data processed;
- separation of data (accounting data from documentation data produced); and
- strong authentication procedures, including also biometric characteristics.
- Security of the information data flows with the judiciary authority:
- use of communication systems based on secure network protocols;
- adoption of digital signatures to encode documents;
- use of encoding systems based on digital signatures for all the communications with the judiciary authority and LEAs;
- use of certified electronic mail (PEC); and
- delivery of the documents by hand exclusively
through persons appointed by the judiciary authority, keeping a register of the deliveries.
- Protection of data processed for justice purposes:
- development of electronic means to ensure the control of the activities performed by each person in charge of the data processing with audit log registrations;
- adoption of advanced encoding instruments for the protection of data during storage in the information technology systems of the CSPs; and
- limitation of retention of personal data for no longer than is strictly necessary to perform the order of the judicial authority providing for the cancellation of data immediately after the correct transmission to the judicial authority.
Interception operations are normally carried out not directly by Vodafone but through equipment installed at the requesting authorities office (or at an interception centre indicated by the requesting authority). However, in case of interception of “telematic” communications, the public prosecutor may order that the relevant interceptions be carried out also through equipment owned by private entities or individuals (section 268 (3) of Italian Criminal Procedure Code).
According to section 11 of the Prime Minister Decree of January 24, 2013, CSPs, such as Vodafone, providing electronic communication networks or services can be required, among other things, to allow intelligence agencies (AISE and AISI) and the National Security Department (“DIS”) to access their databases on the basis of specific agreements setting out the modalities of such access.
DISCLOSURE OF COMMUNICATIONS DATA
According to article 13 (1) of Law no. 124 of 2007 on the reorganisation of the intelligence agencies, CSPs can be required to cooperate with intelligence agencies, disclosing to them information, including communications data relating to customer communications. This obligation has been recently clarified in section 11 of the Prime Minister Decree of January 24, 2013 which directly refers to the mentioned Law no. 124 of 2007. This states that CSPs are required to “provide information” to intelligence agencies (AISE and AISI) and the National Security Department (DIS) according to their respective competences as set out by Law 124 of 2007, on the basis of specific operational agreements, in the interest of national security: i.e. in order to protect the independence, integrity and security of the Republic from any internal or external subversive activity and criminal or terrorist attack:
Moreover, according to the relevant provisions of the Italian Criminal Procedure Code and Legislative Decree n. 271 of 1989, CSPs can be required to provide LEAs (duly authorised by the judicial authority) with metadata relating to customers communications within criminal proceedings as follows:
- Seizure of data in the possession of CSPs within criminal proceedings (section 254 of Italian Criminal procedure Code): The judicial authority has the power to order the seizure of any information that CSPs possess, including metadata, voicemail or an unread email in an inbox relating to customers; and
- Access to customers’ data by LEAs (section 226 (4) of Legislative Decree n. 271 of 1989): for the purpose of preventing crimes by criminal associations and international terrorism organisations, the Minister for Home Affairs or, where delegated by the latter, the LEAs’ Head of IT Department or, in certain cases, the Head of Anti-Mafia Investigation Department are entitled to ask the public prosecutor to order CSPs to trace telephonic and telematic communications and to authorise access to data relating to such communications and to any other relevant information stored by CSPs.
In addition, section 55 of the Electronic Communications Code sets forth the obligation for CSPs to provide the Minister of Home Affairs with a list of all their customers or purchasers of pre-paid mobile traffic. Moreover, according to the relevant provisions of the Italian Criminal Procedure Code and Legislative Decree n. 271 of 1989, CSPs can be required to provide LEAs (duly authorised by the judicial authority) with customers’ content data stored in their database.
NATIONAL SECURITY AND EMERGENCY POWERS
There are a number of provisions allowing the government to dispose of networks in times of emergencies, such as:
- Section 13 (1) of Law no. 124 of 2007, as clarified by section 11 of Ministerial Decree of January, 24 2013;
- Section 73 of the Electronic Communication Code;
- Section 2 of T.U.L.P.S. (Reformed Law on Public Security).
Section 2 of Law no. 225 of 1992 on the Civil Protection service provides that CSPs must cooperate with the management of a cyber crisis, contributing to help restore network and communication system functionalities.
Section 73 of the Electronic Communication Code establishes that, in case of severe network crash, force majeure or natural disaster, the Ministry of Communications is entitled to set forth the measures needed for guaranteeing the availability of the public phone network. CSPs must implement all the necessary measures for guaranteeing non-stop access to emergency services.
According to Section 2 of T.U.L.P.S. (Reformed Law on Public Security) the Prefect, in case of urgency or state of necessity, is entitled to adopt all the necessary decisions for protecting public order and public security.
Pursuant to Section 2 of Law no. 225 of 1992, after the state of emergency has been declared, the Head of the Civil Defence Department can issue decrees with respect to, among other things, the restoring of strategic network infrastructures.
OVERSIGHT OF THE USE OF POWERS
In addition to what is set out above, Section 96(2) and Section 32 of the Electronic Communications Code set out sanctions for those CSPs which do not comply with specific obligations to cooperate with judicial authorities and law enforcement agencies in relation to interception operations.
The judiciary plays no role in the execution of the operational agreements between the intelligence agencies and the CSP, or in the access operations. However, such agreements are notified to the COPASIR (a special Parliament Committee which controls Italian intelligence activities) and the latter is annually informed on the number of accesses to such these databases.
In case of seizure carried out within criminal proceedings the authorisation and control of the GIP is necessary on the basis of the public prosecutors’ request.
In case of access to customers’ data by LEAs, the authorisation and control of the competent public prosecutor is necessary.
The activity of the Intelligence agencies is directly monitored by the Prime Minister and by COPASIR, whose function is to systematically ensure that the agencies operate in compliance with the Constitution and the law.
CENSORSHIP RELATED POWERS
SHUT-DOWN OF NETWORK AND SERVICES
LAW NO. 124 OF 2007
Section 13(1) of Law no.124/ 2007 establishes a general principle whereby communication service providers (such as, for instance, Vodafone) are required to cooperate with the government intelligence agencies (including DIS, AISE and AISI) if requested to do so in order to allow them to fulfil their institutional duties.
The law does not establish that the mentioned intelligence agencies can interfere in any way (let alone by shutting- down networks and/or services) with the activities of the communication service providers without previously requesting for their cooperation. Any interference with such activities hence needs to be regulated by agreements entered into by the government intelligence agencies and the communication service providers on a case by case basis, which could also entail the possibility for the agencies to take initiatives interfering with the communication service providers’ activities without prior notice. Vodafone has not entered into any such agreement. In any case a specific decree of the Prime Minister’s Office or of its delegated offices (prefectures) is required.
DECREE OF THE PRIME MINISTER OF 24 JANUARY 2013
The Decree of the Prime Minister (“DPCM”) of 24 January 2013 has established guidelines to ensure cyber security and national security and confirms the crucial role played by “ad hoc agreements” with communication service providers in Article 7, paragraph 5.
However, according to Article 11, all communication service providers (including Vodafone) have to cooperate in cyber crisis management restoring the functionality of systems and networks under their control. Based on such provision, there seems to be some areas where, even without an agreement creating a legal obligation, the communication service providers must cooperate with the public entities for a prompt response to the crisis. The specific cooperation requested of the communication service providers is determined on a caseby- case basis.
The regulatory framework designed by Law no.124/ 2007 (as amended by Law no. 133/ 2012) gives a central role to the Prime Minister and to the acts that he can issue based on Article 1, paragraph 3a.
CRIMINAL PROCEDURE CODE
Other forms of cooperation – the content of which is not previously determined – may also be imposed by the judicial authorities and the judicial police pursuant to Article 348, paragraph 4 of the Criminal Procedure Code.
LEGISLATIVE DECREE N. 259 OF 2003 (“ELECTRONIC COMMUNICATIONS CODE”)
Under Article 96 of the Electronic Communications Code, communication service providers (such as Vodafone) must comply with the requests of the competent judicial authority where this is for the purposes of justice. A list of the type of activities that communication service providers may be required to perform is contained in the s.c. “Listino”, adopted with Ministerial Decree no. 14120 of April 26, 2001, pursuant to Article 96(2) of the Electronic Communications Code. The “Listino” refers to discontinuing or suspending the services to a customer as an activity which might be requested.
BLOCKING OF URLS & IP ADDRESSES
Under law n. 124/2007 there is no legal authority for the government to require communication service providers to block URLs or IP addresses for the purposes of national security.
LAW NO. 269 OF 1998
Under Article 14-quater of Law no.269 of 1998, as amended by Law No. 38 of 2006, communication service providers must implement filtering instruments and related technological measures to prevent access to websites containing content featuring child sex abuse. Such filtering instruments and related technological solutions are set by Ministerial Decree of 8 January 2007 and include the blocking of URLs and IP addresses. The department of the Ministry of Interiors includes a department which is responsible for indicating the websites which must be blocked by communication service providers.
LAW NO. 296/2006
The Customs Agency (AAMS, Agenzia delle dogane e dei Monopoli) who carries out a targeted action to combat illegal gambling can adopt specific orders against communication service providers (such as Vodafone) to implement technological measures, to prevent access to websites containing illegal gambling, such as DNS blocking. The list of the illegal gambling site is provided and regularly updated by the Customs Agency.
LEGISLATIVE DECREE NO.70 OF 2003 (“E-COMMERCE DECREE”)
According to sections 14(3), 15(3) and 16(3) of the E-Commerce Decree, the judicial or administrative authority having controlling functions is entitled to order internet service providers (such as Vodafone) to urgently stop violations which are being committed on the internet.
ITALIAN CRIMINAL PROCEDURE CODE (ROYAL DECREE NO. 1398 OF 1930)
According to Section 321 of the Italian Criminal Procedure Code, in the case of a criminal prosecution, the judicial authority may, at the public prosecutor’s request, order the seizure of a thing (for example a website) related to the crime, when such a thing is liable to aggravate the crime’s consequences or to determine the commission of other crimes. In urgent cases, the judge’s order may follow an act of seizure, provided it is within 48 hours of the act taking place.
POWER TO TAKE CONTROL OF VODAFONE’S NETWORK
LAW NO. 124 OF 2007
Please refer to ‘Shut-down of network and services’ above, Depending on the terms of the agreement between the intelligence agency and communication service provider, a communication service provider may be required to hand over control of its network to the intelligence agency in the interests of national security.
OVERSIGHT OF THE USE OF POWERS
Depending on the authority issuing the order, there could be either judicial or administrative oversight of an authority’s use of its powers under the E-Commerce Decree.
ELECTRONIC COMMUNICATIONS CODE
A request made to a communication service provider to perform one of the activities listed in the “Listino” must be made by a competent judicial authority. As a consequence, the exercise of the public powers requesting that cooperation is subject to judicial scrutiny.
LAW NO. 269 OF 1998
The list of websites to be blocked by communication service providers under Law No. 269 of 1998 is maintained by a department of the Ministry of Interior. The courts do not have the power to review the Ministry’s use of its powers in this respect.
LAW N. 296/2006
Communication Service Providers (such as Vodafone) can receive specific communications by the Agency of State Monopolies aimed at removing the filter blocking the access to a given web site. The list of the illegal gambling sites is provided and regularly updated by the Agency.
ITALIAN CRIMINAL PROCEDURE CODE (ROYAL DECREE NO. 1398 OF 1930)
The order is made by a judicial authority and therefore is subject to judicial review.