Gathering digital evidence by the EU Commission in inspections

advertisement
Gathering digital evidence by the
EU Commission in inspections
Dirk VAN ERPS
Head of Unit Cartels II
Forensic IT Project Manager
Madrid, 5 July 2013
Digital Evidence Gathering: Powers
• Reg. 1/2003, Art. 20, 2:
"The officials […] are empowered:
(b) to examine the books and other records related
to the business irrespective of the medium on which
they are stored;
(c) to take or obtain in any form copies of or extracts
from such books or records"
Digital Evidence Gathering: Powers
Means:
- We can look at electronic documents
- We can make electronic copies of (electronic or
paper) documents
(see point 9 of Explanatory Note)
Digital Evidence Gathering: Powers
• DG Comp has started in April 2013 to take
systematically electronic copies of electronic
documents;
• DG Comp is planning to make electronic copies
(scans) of paper documents; one test in June
2013
The revised Explanatory Note
• What for:
• - provide transparency to company, kind of
FAQ
• - handed over to company representative at
start of inspection
• - available on internet
• For information only and without prejudice to
formal interpretation of powers of investigation
Clarifications in 18 March 2013 version
• - provides examples on company's IT
environment and storage media that can be
searched: "laptops, desktops, tablets, mobile
phones, CD-Roms, DVDs, USB-key and so on"
(point 10)
• - reference to 'obligation to cooperate fully and
actively with the inspection' (point 11)
• - more examples stemming from this:
-"explaining organisation and IT environment"
Clarifications in 18 March 2013 version
• "temporarily disconnecting running computers from
network, removing and re-installing hard drives from
computers and providing 'administrator access
rights'-support"
• Possibility to use company hardware (that is not
wiped at the end by Commission) (pt 11)
• Inspectors can keep storage media until end of
inspection but may return earlier after having
made forensic copy of data (pt 12)
Clarifications in 18 March 2013 version
• Commission cleanses all Commission data carriers
used to transfer data at end of inspection (pt 13)
• Revised Note to coincide with introduction of new
workflow
•
Previous Workflow
IT Inspector
Company Computer
No Dedicated Search Tools
DG COMP FIT Laptop
Forensic Software
FIT Inspector
New Workflow
IT Inspector
Nuix Operator
FIT Inspector
Nuix Reviewers
Digital review method has not changed
• Possible relevant documents are 'collected' (no
systematic 'imaging' of entire content, but still
forensic copy from laptops/desktops)
• Possible relevant documents are indexed
• Possible relevant documents are reviewed, now on
a 'platform' basis
• Commission official decides whether document is
relevant
• Company receives list and copy of relevant
documents
Digital review method has not changed
• In principle, review is done on the spot, on the
basis of the content of the individual document,
by a Commission official (in the presence of
company representative)
• Sealed envelope (or 'continued inspection')
procedure remains exceptional:
• Less than 10% of cases
• Often on request of company (as 'Nuix' was not
available on site)
We are not obliged to
• Define the relevance of a document on the basis of
a Commission pair of eyes looking at the individual
document (but we do)
• Describe our interpretation of our rights (but we do
– transparency via Inspection Explanatory Note)
• Describe our workflow and our tools (but we do –
article and presentation as this one)
• Cleanse/Sanitise/Wipe our tools at the end of the
inspection (but we do)
Legal issues
• Location of server: irrelevant: what is available to
company staff is available to Commission official
• LPP: can be excluded from 'search data' and
reviewed separately between Team leader and
company representative
• Keywords: are not provided as they are only
'intelligence' helping to define possible individual
relevant documents (that are provided)
• Chain of custody: company signs 'document list'
that identifies individual documents by path file and
name and Hash Value for entire collection
Legal issues
• 'Continued inspection' or 'sealed envelope'
procedure: Nexans/Prysmian challenge: General
Court: measure implementing inspection decision;
not separable act
• Personal Data: we process in compliance with Reg.
45/2001 applicable to Commission, but no
hindrance to obtain the data
• No procedural harmonisation within ECN but
exchange of practices and experience in ECN
Forensic IT Working Group
DEMO
• Presentation of the Demo CD that is provided to
inspected company at start of inspection to
explain procedure
The End
• Thank you
• Any further questions?
• Dirk.Van-Erps@ec.europa.eu
•
* The views expressed are personal and do not commit the Commission
Download