Capítulo 7: Conclusiones y recomendaciones
8. Bibliografía
The obtained anonymity through ‘privacy enhancing software’ and the use of cryptocurrencies is highly related to the field of privacy. Privacy is a highly-discussed topic, especially in relation to surveillance/security and often generates tension between citizens (privacy protection) and law-enforcement agencies (surveillance). Policy on e.g. encryption is therefore “[..]becoming a crucial test of the values of liberal democracy in the twenty-first century”
(Moore & Rid, 2016, p 7).
The core document of the EU concerning privacy is the Data Protection Directive 95/46/EC (hereinafter DPD)7 and aims to “[..] protect the fundamental rights and freedoms of natural
persons, and in particular their right to privacy with respect to the processing of personal data.” (DPD, 1995, article 1). Its legal basis is codified in both the TFEU (article 16) and the
EU Charter of Fundamental Rights (Article 7 and 8).
The rules laid down in the DPD concerning the processing of personal data do not apply “[..] in the course of an activity which falls outside the scope of Community law [..]” or in cases that concern “[..] public security, defence, State security {..} and the activities of the State in areas of criminal law [..]” (DPD, 1995, article 3.2). In these situations, including illicit drug trafficking, Council Framework Decision 2008/9778 (hereinafter CFD) applies which concerns the protection of personal data in police and judicial cooperation in criminal matters. This Directive strives to balance the “[..] protection of the fundamental rights and freedoms of natural persons, and in particular their right to privacy [..]” on one hand and
“[..]guaranteeing a high level of public safety [..]” on the other hand(CFD, 2008, article 1). This Directive does not apply to Europol as Europol (among other agencies) is governed by acts which include data protection provision (CFD, 2008, recital, para 39).
7 This Directive will be repealed on 28 May 2018 and replaced by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with regard to the processing of Personal Data and on the Free Movement of such data which entered into force on 24 May 2016.
8 This Council Framework Decision will be repealed on 6 May 2018 and replaced by Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data which entered into force on 5 May 2016.
Regarding Europol, the ECD included Europol-specific articles on data processing. Europol can “[..] process information and intelligence, including personal data [..]” when it is deemed
“[..]necessary for the achievement of its objectives[..]” (ECD, 2009, article 10.1). As discussed in chapter 3.3., counter cross-border crime, such as illicit drug trafficking, is part of its objectives. In other words, to counter the illicit drug trade, Europol can process information including personal data.
One of the systems in place that are used to process such data are analysis work files (hereinafter AWF) which are used for criminal analysis (ECD, 2009, article 10.4 & 14; Europol, 2012, p 14-17). Additional rules for the processing of data for these AWFs are laid down in Council Decision 2009/936/JHA (hereinafter CDAWF).
Any information that relates to an ‘identifiable natural person’ should be considered as ‘personal data’ according to the CDAWF where an ‘identifiable person’ refers to someone “[..]
who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity” (CDAWF, 2009, article 1e). However, it is also stated that “an individual shall not be regarded as "identifiable" if identification requires an unreasonable amount of time, cost and manpower” (R(87), 1987, p2; Europol, 2012, p 13). This has been agreed upon by the Member States on the Council of Europe Convention 108 and only applies to personal data in the police sector.
Several categories of personal data may be processed in AWFs, where processing refers to “[..]
any operation or set of operations which is performed upon personal data[..]” which include
operations such as collecting, storing or adaptation (CDAWF, 2009, article 1e). A non- exhaustive list of categories is provided in the CDAWF which may be subject to processing and include ‘personal details’, ‘economic and financial information’, and ‘behavioural information’ (CDAWF, 2009, article 6). However, data that reveals someone’s “[..] racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership and data concerning health or sex life[..]” should be proven “[..] strictly necessesary for the purposes of the analysis work file concerned” (CDAWF, 2009, article 5.2).
Despite the rules that are laid down in the ECD and the CDAWF, ambiguity exist when applied to data related to the cryptomarkets. As discussed in chapter 4, both the IP addresses of the server and the users are hidden because of the Tor hidden service. Moreover, transactions are
performed with the partly-anonymous bitcoin. Whether these should be considered as personal data is ambiguous.
As been stated earlier, new legislation on Data Protection will apply from May 2018 which include provisions “fit for the digital age” (EC Justice, n.d.). Even though these do not concern
the processing of personal data by EU bodies, such as Europol, it is worth to include their stance on this sort of data, especially since the existing provisions do not provide certainty. According to recital 30 of Regulation 2016/679, it is stated that online identifiers, such as IP- addresses, “[..] may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them”. In addition, article 3(1) of Directive 2016/680 includes online identifiers as ‘personal data’.
This is in line with two judgements of the Court of Justice of the European Union (CJEU) 9 on, inter alia, the interpretation of ‘personal data’ under the Data Protection Directive. Nonetheless, these judgements show that regardless of the additional information that is necessary to identify someone by an IP-address, it is still required as personal data.
With the use of PETs, IP-addresses can, in principle, not be traced back to ‘identifiable persons’. Nonetheless, it is not impossible, as the FBI proved with the seizure of Silk Road. As discussed in chapter 4, the Tor directory lists all the relays (except for bridge-relays). Due to this directory, the FBI could identify an IP-address that was not linked with any known relays (Tor directory) in the traffic data of Silk Road. This IP-address was assigned to an Icelandic server which appeared to host the Silk Road website and after identification led to the identification of several back-up servers (Tarbell Declaration, para 6-17; Zajácz, 2017, p 29). However, there are still doubts about the method that was being used by the FBI and some even claim that the FBI hacked the server (Arthur, 2013; Zajácz, 2017, p 29).
This shows that there are possibilities to obtain IP-addresses despite the use of Tor hidden services, which then could potentially be regarded as personal data. However, then the notion of “[..]an unreasonable amount of time, cost and manpower[..]” as described in
9 In Scarlet Extended SA v Société belge des auteurs, compositeurs et édieurs ECRL (SABAM), the CJEU ruled that from the point of view of the ISP (Internet Service Providers), IP-addresses should be considered as personal data as “[..] they allow those users to be precisely
identified” (C-70/10, para 51). In Patrick Breyer v Bundesrepublic Deutschland, the CJEU ruled that a dynamic IP-address (one that is assigned with every new connection) should be considered as personal data as it has the potential to “[..]identify the data subject with additional data[..]” (C582/14, para 49).
Recommendation (87) comes into play. Unfortunately, the determination of such is rather subjective. As a result, no incontestable determination can be made, based on the current legal sources.
Regarding the cryptocurrency, bitcoin, the same questions could potentially arise. As been stated above, bitcoins are regarded as a ‘partly anonymous currency’. This anonymity is twofold: both the public keys (the addresses) and the transaction itself (what is bought with it) are considered anonymous. This corresponds with an ‘address unlinkability’ and ‘transaction unlinkability’ which respectively correlate to a ‘user network’ and a ‘transaction network’ (Androulaki et al., 2013, p 38; Reid & Harrigan, 2013, p 204).
Both the ‘user network’ and the ‘transaction network’ make it possible to identify its users especially since the Blockchain (and therefore all the transactions) are publically available. There are various methods to recover identifiable information, especially concerning ‘the user network’ (Reid & Harrigan, 2013, p 212 – 222; Androulaki et al., 2013, p 40-43). Examples include the voluntary disclosure of one’s public-key, which, if combined with other available information, could identify an individual or identification through the corresponding IP- addresses (Reid & Harrigan, 2013, p 213-214; Juhász et al., 2017, p 11).
In other words, bitcoin related data has the potential to identify individuals. Some therefore argue that it should fall under the scope of data protection (Fuster, 2016, p 198; Sorge, 2013, pp 8).
In addition, one could say that it should be included as ‘economic and financial data’. Even though bitcoins are generally not perceived as a fiat currency since its value is not legally backed, a ruling from the CJEU indirectly confirmed that bitcoin is a currency within the EU, at least in the realm of value added tax (VAT) exemptions. In Skatteverket v. David Hedqvist,
the CJEU exempted the exchange of bitcoins for ‘traditional currencies’ and vice versa from VAT as the bitcoin, according to the CJEU, “[..] has no other purpose than to be a means of payment and that it is accepted for that purpose by certain operators” (C-264/14, para 52) This placed the bitcoin in line with other VAT exemptions as mentioned in article 135 (1) (e) of the VAT Directive, which concerns “[..] currency, bank notes and coins as legal tender[..]” (C-264/14, para 52). As a result, data related to Bitcoins should arguably be considered as personal, financial, data.
Finally, as has become clear in previous chapters, international cooperation and intelligence (including personal data) exchange is crucial in the field of cross-border crimes, including illicit
drug trade. This is codified in the ECD. Within the EU, Europol may exchange data with several EU institutions/agencies, including Eurojust and EMCDDA when a working agreement is in effect or when the exchange is deemed “[..] necessary for the legitimate performance
[..]” (ECD, 2009, article 22). Moreover, if the data was communicated to Europol by a Member State, Europol needs consent from the Member State involved prior to transmitting the data to a EU agency. If the data was obtained by Europol itself, transmission of that data should not be liable to obstruction or jeopardizing a Member State involved (ECD, 2009, article 24). In addition to the transmission of data within the EU and its institutions, article 23 ECD provides for the necessities for the exchange of data with third parties. The exchange of personal data is only allowed where a so-called operational agreement between Europol and that party is in place (Europol, 2012, p 22; ECD, 2009, article 23). This operational agreement is based on the guarantee of an “[..]adequate level of data protection ensured by that entity”
(ECD, 2009, article 23.6b).
5.4.2.CONSEQUENCES FOR APPLICABILITY EUFRAMEWORK
The processing of data (not personal data alone) is included in the EU Strategy and its Action Plan, both in the field of drug supply reduction and in the field of information, research, monitoring and evaluation and involve both EU agencies and third countries (Action Plan, 2013, p 6 – 8 & 17-20).
The ambiguity of personal data in this field and therefore its processing by EU bodies such as Europol and Eurojust and the transmission to third parties could potentially result in problems.
The characteristic of encryption and the obtained level of anonymity with the illicit drug trade on the dark net could therefore constitute difficulties in the execution of the EU Strategy and its Action Plan. However, this does not necessarily ask for a different EU Strategy, but rather for a less ambiguous codification of ‘personal data’ under EU law in relation to the rules and standards for processing this data by EU agencies.
In other words, this characteristic affects the applicability of the EU Framework mainly because of another factor: the potential ambiguous codification of personal data in this field.
C
HAPTER6.
CONCLUSIONTraditionally, the trade in illicit drugs took place offline. More recently, technological innovation that was intended to safeguard (online) anonymity in areas with governmental restrictions, was applied to the trade in illicit goods, including drugs. These so-called cryptomarkets exist on the dark net and depend on software such as ‘privacy enhancing software’ (e.g. Tor) and cryptocurrencies (bitcoin).
The most well-known example of a cryptomarket is Silk Road which was seized in 2013 by the FBI soon after which Operation Onymous took place which took down (among others) Silk Road 2. Regardless of these successes, policy documents by the European Union stress the need for action in this field. Therefore, this thesis aimed to answer the following research question:
To what extent can the current European framework against traditional illicit drugs be applied on the illicit drug trade on the dark net?
As the size of this thesis does not permit a full analysis of all the characteristics of the illicit drug trade on the dark net, this thesis focussed on three distinct characteristics of the illicit drug trade on the dark to answer this research question. For each of these characteristics, the main legal domain was identified before the objective(s) of the EU Framework that could consequently be affected by it were identified.
The first characteristic concerned the lack of borders which is highly related to the notion of jurisdiction. Even though this could result in difficulties in determining jurisdiction, this is not a new phenomenon, it is inherent to cross-border crime. In that sense, the illicit drug trade on the dark net does not generate a new problem for the execution of the current EU Framework. The same conclusion can be drawn concerning the second characteristic, the dependency on conventional postal services. The same obstacles that are previously identified by Eurojust would apply and therefore this characteristic of the illicit drug trade on the dark net does not constitute a new problem concerning the EU Framework.
The level of anonymity could however negatively affect the application of the EU Framework. This characteristic is associated with the legal domain of privacy. Despite the use of privacy enhancing technology and the use of cryptocurrency, there is a possibility that IP-addresses or bitcoin transactions can be linked to an individual. This would then potentially be regarded as
‘personal data’. However, the ambiguity in this field could result in difficulties in the application of the EU Framework, most importantly in the field of intelligence sharing. However, this does not necessarily require a new EU Framework, as this could be solved by less ambiguous provisions on the processing of personal data by EU agencies such as Europol.
Overall, it can be concluded that the current European Framework could be applied to the illicit drug trade on the dark net, to the extent that it only applies this applicability is only analysed for three characteristics of the illicit trade on the dark net: its lack of border, its dependency on conventional postal services and the level of anonymity.
B
IBLIOGRAPHY(E-) Books
• Boekhout van Solinge, T. (2004). Dealing with Drugs in Europe. An investigation of European Drug Control Experiences: France, the Netherlands and Sweden. The Hague: BJU Legal Publishers.
• Chalmers, D., Davies G. & Monti, G. (2014). Chapter 14: EU Criminal Law. In: European Union Law. 3rd edition. Cambridge: United Kingdom.
• Fuster, G. G. (2016). EU Data Protection and Future Payment Services. In: Bitcoin and Mobile Payments. Palgrave Macmillan UK.
• Goldsmith, J., & Wu, T. (2006). Who controls the Internet?: illusions of a borderless world. Oxford University Press.
• Lessig, L. (2009). Code: And other laws of cyberspace. 2nd edition.
• Mueller, M. L. (2002). Ruling the root: Internet governance and the taming of cyberspace. MIT press.
• Oster, J. (2017). The Jurisdictional Question & Internet Governance and Regulation. In: European and International Media Law. Cambridge: United Kingdom.
• Papakonstantinou, V. (2010). Cyberspace And Cybercrime. In: Handbook of
Electronic Security and Digital Forensics. World Scientific Publishing Co. Pte. Ltd.
• Reid, F., & Harrigan, M. (2013). An analysis of anonymity in the bitcoin system. In: Security and privacy in social networks. Springer New York.
• Scharf, M. P. (2007). Jurisdiction with Respect to Crime: Universal Jurisdiction and the Harvard Research.
• Swan, M. (2015). Blockchain: Blueprint for a new economy. O'Reilly Media, Inc.
• Vigna, P., & Casey, M. J. (2015). The age of cryptocurrency: How bitcoin and digital money are challenging the global economic order. St. Martin's Press.
• Wang, Y. & Kobsa, A. (2009). Privacy-enhancing technologies. Handbook of research on social and organizational liabilities in information security (pp. 203- 227). IGI Global.
Cases
• Case C-70/10. Scarlet Extended SA v Société belge des auteurs, compositeurs et édieurs ECRL (SABAM). Judgement of 24 November 2011.
• C-145/09. Land Baden-Württemberg v Panagiotis Tsakouridis. Judgement of 23 November 2009.
• C-264/14. Skatteverket v. David Hedqvist. Judgement of 22 October 2015.
• C-582/14. Patrick Breyer v Bundesrepublic Deutschland. Judgment of 9 October 2016.
• United States of America v. Ross William Ulbricht. Complaint of 27 September 2013. 13 Mag. 2328 (FM).
• United States of America v. Ross William Ulbricht. Declaration of Christopher Tarbell.
• United States of America v. Ross William Ulbricht. Judgement of 29 May 2015. S1 14 Cr. 68 (KBF) (S.D.N.Y., 2014).
Publications & articles
• Abbott, R. (2010). An onion a day keeps the NSA away. J. Internet Law, 13(11), 22-28.
• Aldridge, J., & Askew, R. (2017). Delivery dilemmas: How drug cryptomarket users identify and seek to reduce their risk of detection by law
enforcement. International Journal of Drug Policy, 41 (2017), 101-109.
• Aldridge, J. & D. Décary-Hétu. (2016). Cryptomarkets and the future of illicit drug markets. The Internet and drug markets, edited by EMCDDA. Insights 21, pp 23-32. Publications of the European Union, Luxembourg. Referred to as Aldridge, J. & D. Décary-Hétu. (2016a)
• Aldridge, J. & Décary-Hétu, D. (2016). Hidden wholesale: The drug diffusing capacity of online drug cryptomarkets. International Journal of Drug Policy, 35 (2016), 7-15. Referred to as Aldridge, J. & D. Décary-Hétu. (2016b)
• Androulaki, E., Karame, G. O., Roeschlin, M., Scherer, T., & Capkun, S. (2013). Evaluating user privacy in bitcoin. International Conference on Financial
Cryptography and Data Security (pp. 34-51).
• Arthur, S. (2013). Silk Road: suspicions grow that server was hacked ahead of arrests. The Guardian. Retrieved from
https://www.theguardian.com/technology/2013/oct/08/silk-road-hack-suspicion- fbi-server on 26 March 2017.
• Bancroft, A., & Scott Reid, P. (2017). Challenging the techno-politics of anonymity: the case of cryptomarket users. Information, Communication & Society, 20(4), 497-512.
• Barratt, M. J., & Aldridge, J. (2016). Everything you always wanted to know about drug cryptomarkets*(* but were afraid to ask). International Journal of Drug Policy, 35, 1-6.
• Barratt, M. J., Ferris, J. A., & Winstock, A. R. (2014). Use of Silk Road, the online drug marketplace, in the United Kingdom, Australia and the United States.
Addiction, 109 (5), 774-78.
• Bergman, M. K. (2001). White paper: the deep web: surfacing hidden value. Journal of electronic publishing, 7(1).
• Berman, P. S. (2000). Cyberspace and the State Action Debate: The Cultural Value of Applying Constitutional Norms to Private Regulation. U. Colo. L. Rev., 71, 1263 – 1310.
• Böhme, R., Christin, N., Edelman, B., & Moore, T. (2015). Bitcoin: Economics, technology, and governance. The Journal of Economic Perspectives, 29(2), 213- 238.
• Brenner, S.W. & Schwerha IV, J.J. (2007). Cybercrime havens – Challenges and solutions. Business Law Today 17(2).
• Broséus, J., Rhumorbarbe, D., Mireault, C., Ouellette, V., Crispino, F., & Décary- Hétu, D. (2016). Studying illicit drug trafficking on Darknet markets: structure and organisation from a Canadian perspective. Forensic science
international, 264, 7-14.
• Chaabane, A., Manils, P., & Kaafar, M. A. (2010). Digging into anonymous traffic: A deep analysis of the tor anonymizing network. Network and System Security (NSS), 2010 4th International Conference on (pp. 167-174).
• Cottim, A.A. (2010). Cybercrime, Cyberterrorism and Jurisdiction: An Analysis