Venice Commission - Report on a rule of law and human rights compliant regulation of spyware
www.venice.coe.int
Disclaimer: this information was gathered by the Secretariat of the Venice Commission on the basis of contributions by the members of the Venice Commission, and complemented with information available from various open sources (academic articles, legal blogs, official information web-sites etc.).
Every effort was made to provide accurate and up-to-date information. For further details please visit our site : https://www.venice.coe.int/
1. Does your legal framework allow for the use of spyware as a tool of targeted surveillance either in criminal or intelligence investigations or is there an explicit prohibition on the use of spyware? If so, how does your domestic legal framework define spyware?
Italian law does not use the term referred to in the query, since it uses instead, in the Code of Criminal Procedure (hereinafter CCP), a broader notion such as that of “computer interceptor” (captatore informatico); see also, as to the secondary legislation of implementation, the Ministerial Decree of 6 October 2022, which defines the “electronic interceptor” (captatore elettronico) as «any disguised system, inoculated remotely, which, by eliminating the effects that prevent the knowledge of the communication or data, allows the interception of the audio-video contents and of the data exchanged or allows the interception face-to-face conversations, and remotely collects the positions taken by the equipment in the territory» (Article 1 lett. m).
2. Are there specific rules (covering notably the scope ratione materiae, temporis and personae) in place or do the general rules on targeted surveillance (interception of communications) apply (could you please provide us with such specific or general rules)?
A) Referring to criminal proceedings, the general rule on interception of conversations or communications (Article 266, par. 1 CCP) provides that «telephone conversations or communications and other forms of telecommunication may be intercepted in a proceedings related to offences» identified on the basis of a quantitative criterion (edict penalty) or a qualitative criterion (type of offence). With specific reference to the spyware, it is important to note that, from a theoretical point of view, the trojan horse, as it is known, can carry out several intrusive operations and collecting a variety of data. For example, the malware is capable of intercepting communications between computers and telematic systems (emails, WhatsApp messages, Skype conversations, etc.), activating microphones and/or cameras and GPS, recording everything typed on the keyboard (so-called keylogging function) and everything that appears on the screen (so-called screenshots function). It can also infiltrate the memory of devices where data is stored, thus capturing all data and information contained in or passing through the infected device, as well as modifying any information stored or transmitted. Despite these numerous functions, the Italian Parliament has only expressly regulated the use of that investigative tool to carry out the interception of face-to-face conversation and only on mobile devices. In fact, pursuant to Article 266, paragraph. 2 CCP, the investigating authority may, in the same cases provided for in paragraph 1, intercept communications between persons present in the same place (rectius, interception of face-to-face conversations) by «captatore informatico» on a portable electronic device. However, if these take place in the places referred to in Article 614 of the Criminal Code (i.e. private domicile), the interception with spyware may only be carried out «if there are justified reasons to believe that a criminal activity is occurring there». Moreover, according to the paragraph 2-bis of Article 266 CCP, «the interception of face-to-face conversations through the insertion of a spyware in a portable electronic device is always permitted in proceedings for the offences referred to in Article 51, paragraphs 3-bis and 3-quater, and provided that the reasons justifying its use are stated, also in the cases referred to in Article 614 of the Criminal Code, for offences committed by public officials or persons in charge of a public service against the public administration, for which a maximum penalty of at least five years’ imprisonment is provided for, as determined in accordance with Article 4 CCP». A problematic issue, however, arises regarding the possibility of using spyware to carry out the specific interceptions regulated in Article 266-bis CCP. The provision, entitled «Interception of computer or electronic communications», states that «in proceedings related to the offences referred to in Article 266, as well as the offences committed by using computer or electronic technologies, the interception of communication flows with computer or electronic systems among different systems is allowed». In other words, the flow to which Article 266-bis CCP refers may be represented either by the exchange of e-mails or communications through instant messaging applications, or by sound files and voice communications. Although the provision does not explicitly refer to the possibility of using the trojan horse to carry out this type of interception, the Italian Supreme Court considers that the use of the spyware must be considered as permitted for the execution of interceptions pursuant to Article 266-bis CCP (see, for instance, Italian Court of Cassation, no. 48370/2017). Pursuant to Article 267 CCP (general rule) the Public Prosecutor shall require the Preliminary Investigation Judge to issue an authorization for ordering the activities referred to in Article 266 (i.e. interception of communications and conversations). The authorization shall be given by reasoned decree if there is serious suspicion that an offence has been committed and the interception is absolutely necessary to continue the investigation. Pursuant to Article 267 CCP (specific rule), when, at the request of the Public Prosecutor, the Preliminary Investigations Judge authorizes the interception by spyware, he shall indicate – with an assessment that does not have to slavishly follow the request – the reasons why such modality is necessary for the conduct of the investigation («Il decreto che autorizza l’intercettazione tra presenti mediante inserimento di captatore informatico su dispositivo elettronico portatile espone con autonoma valutazione le specifiche ragioni che rendono necessaria in concreto tale modalità per lo svolgimento delle indagini»); and, when proceeding for offences other than particularly serious ones (i.e. the offences, already mentioned, referred to in Article 51, paragraphs 3-bis and 3-quater CCP) and the most serious offences committed by public officials against the public administration, the places and times in relation to which the microphone may be activated must also be determined, even indirectly. Pursuant to the above-mentioned Article 267 CCP, paragraph 2 (general rule), «in cases of urgency, if there are justified reasons to believe that any delay can seriously hamper the investigation, the Public Prosecutor shall order the interception by reasoned decree, which shall be forwarded immediately and, in any case, within twenty-four hours, to the judge of preliminary investigations. Within forty-eight hours of the delivery of the decision, the judge shall decide on its validation by reasoned decree. If the decree of the Public Prosecutor is not validated within such time limits, the interception shall not be continued, and its results shall not be used». Pursuant to the above-mentioned Article 267 CCP, paragraph 2-bis (specific rule), the interception of face-to-face communications by inserting a spyware on a portable electronic device («mediante l’inserimento di un captatore informatico su un dispositivo elettronico portatile»), may be ordered by the Public Prosecutor only in the case of proceedings for particularly serious offences (i.e. the offences, already mentioned, referred to in Article 51, paragraphs 3-bis and 3-quater CCP, such as, for example, mafia-type criminal association) or for offences committed by public officials against the public administration. Articles 268 e 269 CCP provide for general rules regarding the procedure for interceptions and preservation of documentation. Article 270 CCP regulates the use in other proceedings of the results of interception. As a general rule, the results of interceptions «shall not be used in proceedings other than those for which they have been ordered, unless they are essential for ascertaining offences for which arrest in flagrante delicto is mandatory». Pursuant to Article 270 paragraph 1-bis (specific rule), the results of face-to-face communications interceptions, realized by inserting by inserting a spyware on a portable electronic device («mediante l’inserimento di un captatore informatico su un dispositivo elettronico portatile»), may be used in other proceedings if they are deemed indispensable for ascertaining particularly serious offences (i.e. offences, already mentioned, referred to in Article 51, paragraph 3-bis and 3-quater CCP), and particularly serious offences committed by public officials against the public administration. Lastly, the special rules for the interception of conversations or communications provided for organized crime offences in particular (Article 13 of Legislative Decree No. 152 of 13 May 1991) apply to the use of the computer interceptor as an interception tool.
3. What kind of data, if any, could be collected with spyware?
As interceptions are involved, as a rule, the dynamic flow of conversations and communications. As mentioned above, the Italian legislator has regulated and thus authorized the use of spyware in the criminal proceedings exclusively for the interception of face-to-face conversation carried out on a portable device (Article 266, paragraph 2 and 2-bis CCP). Any other form of interception is therefore not expressly authorized by law. In practice, however, the Court of Cassation has often considered legitimate the use of other functions performed by the trojan horse, even if not expressly permitted by the littera legis. For example, in the decision no. 3591/2021, judges considered legitimate the acquisition of a file Excel in progress on a personal computer by means of a screenshot made by the spyware, since it is a mere detection of the computer data in progress, object of “communicative behaviour” susceptible to interception and also to video recording pursuant to Article 266-bis CCP, and not a computer search aimed at searching and extracting pre-existing data. Moreover, in the decision no. 40903/2016, it was considered legitimate to use a trojan with a keylogging mode to obtain the access password to the suspect's email that he was typing on his device.
4. Has there been any official evaluation of the need for, or added value of, spyware?
One of the latest official assessments of the whole matter is the one gathered in the results of the fact-finding activity carried out by the 2nd Senate Permanent Commission (Justice) on the various issues concerning interception of communications and conversations (see annex). The results of the fact-finding investigation can be found in the «Documento approvato dalla 2ª Commissione permanente (Giustizia) nella seduta del 20 settembre 2023 (relatori: Bongiorno, Berrino e Zanettin) a conclusione dell’indagine conoscitiva sul tema delle intercettazioni».
5.Who authorises/approves measures of targeted surveillance in criminal and intelligence investigations (judiciary, executive, expert bodies, security services)?
Judicial Authorities in any case: see the above-mentioned Article 15 of the Italian Constitution. However, a distinction should again be made according to the context in which the spyware can be used (in terms that we described supra).
6. What are the national oversight mechanisms in place in your country for the activities of the security services (are they judicial, parliamentary, executive, or expert)? Do these bodies have (binding) remedial powers?
There are two levels of control mechanisms. First of all, a judicial control: the Prosecutor General at the Court of Appeal in Rome should authorize wiretapping ordered in the context of the activities of the Security Intelligence Services. Secondly, there is a parliamentary control, entrusted to the Parliamentary Committee for the Security of the Republic, which is composed of five deputies and five senators, and appointed, at the beginning of each legislature, within twenty days of the vote of confidence in the Government. According to Article 30 of law 3 august 2007, n. 124, the Committee is appointed «by the Presidents of the two branches of Parliament in proportion to the number of members of the parliamentary groups, while still ensuring equal representation of the majority and oppositions and taking into account the specificity of the tasks of the Committee». The Committee «shall systematically and continuously verify that the activities of the Security Intelligence Service are carried out in accordance with the Constitution and the laws, in the exclusive interest and for the defence of the Republic and its institutions». The control functions of the Parliamentary Committee for the Security of the Republic are regulated in detail by Article 31 of the law n. 124/2007. In particular, the committee «may obtain, even in derogation of the prohibition established by Article 329 of the Code of Criminal Procedure, copies of acts and documents relating to proceedings and investigations under way at the judicial authority or other investigative bodies, as well as copies of acts and documents relating to parliamentary investigations and inquiries. The judicial authority may also transmit copies of acts and documents on its own initiative».
7. Does a post-surveillance notification mechanism exist? Are there any other remedies available for individual targeted by measures of targeted surveillance?
In the case of interception of face-to-face conversations, ordered by means of a spyware, the general procedure of control on the execution of the operations (Article 268 CCP) and on the preservation of the documentation (Article 269 CCP), entrusted to the judicial authority, as well as on the exercise of the rights of defense in criminal proceedings, do apply. Provisions are envisaged (Article 271 paragraph 1 CCP) for prohibiting the interception outside the cases allowed by law or without complying with the provisions of the law. Moreover, it is provided (Article 271, paragraph 1-bis CCP – specific rule) that data acquired during the preliminary operations prior to the insertion of the spyware on the portable electronic device and data acquired outside the time and place limits indicated in the authorization decree cannot be used in any case. At any stage and instance of the proceedings, the court shall order that the documentation of wiretaps carried out in breach of the prohibitions of the law be destroyed (Article 271, paragraph 3 CCP).
Italy
Recently, EU Regulation 2024/108 (Media Freedom Act) defines «intrusive surveillance software», as «any product with digital elements specially designed to exploit vulnerabilities in other products with digital elements that enables the covert surveillance of natural or legal persons by monitoring, extracting, collecting or analyzing data from such products or from the natural or legal persons using such products, including in an indiscriminate manner». The Italian Constitutional reference is Article 15 which reads: «The liberty and secrecy of correspondence and of every form of communication shall be inviolable. Limitations upon them may only be imposed by decision of the judiciary, for which the reason must be stated, in accordance with the guarantees laid down by law». Therefore, interception of communication is always under the authority of a judge and a judicial authorization is necessary in order to dispose a communication interception. For the members of Parliament, Article 68 of the Italian Constitution reads: «2) No members of Parliament shall, without the authorization of the Chamber to which they belong, be subjected to search warrants on their persons or in their homes, nor arrested or otherwise deprived of personal freedom, nor kept in a state of detention, save in the case of execution of an irrevocable sentence of conviction, unless they be caught in the act of committing an offence for which an order of arrest is mandatory. 3) A similar authorization shall be required in order to subject members of Parliament to any form of interception of their conversations or communications, and in order to seize their mail or correspondence».
It is necessary to make a distinction according to the different context at which spyware can theoretically be used:
A) in the course of a criminal proceedings (post notitia criminis). It is important to note that, according to the Article 335 CCP, the criminal proceedings start when the «Public Prosecutor enter immediately, in the dedicated register retained in his office, any notitia criminis he receives or acquires».
B) for preventive purposes ante delictum, in order to protect public security. In the Italian legal system, law enforcement authority may carry out preventive investigations measures at a time prior to the formally start of the criminal proceedings. At this respect, preventive investigation measures also include “preventive interceptions” or “ante delictum interception” (intercettazioni preventive), the regulation of which is contained in Article 226, implementing provisions CCP. The aim of this measure is not to obtain evidence in the course of criminal proceedings, but to prevent crimes;
C) during intelligence operations carried out by the Italian Security Intelligence Services. These are interceptions of communications that can be carried out even in the absence of criminal proceedings, irrespective of the existence of a notitia criminis, and can be used for the purpose of protecting national security.
The regulation of interception varies in three different contexts.
A) The use of spyware in the course of criminal proceedings was expressly legitimised only since 2017, by Legislative Decree No. 216 of 29 December 2017 which amended the general rules on “traditional” interception of communications and conversations (Articles 266 et seq. CCP) by inserting an explicit reference to the possibility for the investigating authority to use the “captatore informatico” (this is the expression used in the Italian CCP when referring to spyware. Italian jurisprudence and scholars also often resort to the use of terms such as “trojan horse” and “agente intrusore”). Before the approval of the Legislative Decree No. 216/2017 no legal provision legitimised the use of the trojan. However, in practice the spyware was still used to conduct criminal investigations prior to the 2017. The first judgment of the Italian Supreme Court dealing with this issue was the no. 16556/2009, but the most important decision is the Joint Chambers, 28 April 2016, no. 26889, in which judges legitimised, even in the absence of an ad hoc regulation, the use of the spyware exclusively to carry out interception of face-to-face conversations in proceedings only for organised crime offences, i.e. cases in which, pursuant to Article 13 of Legislative Decree no. 152/1991, interception is allowed everywhere, including in the home (protected by the Italian Constitution under Article 14). In this ruling, the trojan horse was defined as «a computer program [...] installed on a target device (computer, tablet, smartphone), usually remotely and surreptitiously, by sending it by e-mail, SMS or update application". The software is made up of two main modules: the first (server) is a small programme that infects the target device; the second (client) is the application that the virus uses to control the device». This is the only para-legal definition of spyware in the Italian criminal procedure system.
B) From a legal point of view, the regulation of ante delictum interception is contained in Article 226 implementing provision CCP, entitled «Interception and preventive control of communications». This provision establishes that «The Minister of the Interior or, by delegation, the heads of the central services referred to in Article 12 of Decree-Law no. 152 of 13 May 1991, as amended by Law no. 203, as well as the Questore or the Provincial Commander of the Carabinieri and the Guardia di Finanza, shall apply to the Public Prosecutor for the main town of the district where the person to be monitored is located or, if this cannot be determined, of the district where the need for prevention has arisen, for authorisation to intercept communications or conversations, including by telematic means, as well as for the interception face-to-face conversations, even if these take place in the places referred to in Article 614 of the Criminal Code, if this is necessary for the acquisition of information for the prevention of the offences referred to in Article 407, paragraph 2, letter a, no. 4 and 51, paragraph 3bis of the Code, as well as those referred to in Article 51, paragraph 3quater of the Code [i.e. particularly serious offences, such as mafia-type organised crime, serious drug offences or offences committed for terrorist purposes], committed through the use of information or telematic technologies. The Minister of the Interior may also delegate the Director of the Anti-Mafia Investigation Directorate, limited to the offences referred to in Article 51(3-bis) of the Code». The elements acquired through preventive activities cannot be used in criminal proceedings.
C) Article 4 of Decree-Law No. 144 of 27 July 2005, converted with amendments into Law No. 155 of 31 July 2005, and last amended by Law No. 197 of 29 December 2022, provides for the institution of “intelligence interception”. The provision establishes that «The President of the Council of Ministers may authorise the Directors of the Security Intelligence Services referred to in Article 2, paragraph 2, of Law No. 124 of 3 August 2007 to request authorisation for the interception of communications or conversations, including by telematic means, as well as for the interception of communications or conversations held in the places referred to in article 614 of the Penal Code, if this is deemed necessary for the performance of the tasks entrusted to them by articles 6 and 7 of law no. 124 of 3 August 2007». The authorisation «shall be requested to the Public Prosecutor’s Office at the Court of Appeal in Rome, that shall grant the authorisation if the conditions laid down in Article 4-bis are fulfilled».
B) As mentioned above, the regulation of ante delictum interception is contained in Article 226 implementing provisions CCP. As can be observed from the littera legis of the provision (cfr. supra, question no. 1), there is no explicit reference to the possibility of using spyware in preventive interception. However, the issue is debated among Italian scholars. It can be assumed that the absence of a provision in Article 226 to legitimise the use of spyare with reference to preventive interception excludes its applicability (ubi lex voluit, dixit; ubi noluit, tacuit). However, according to some commentators, the use of trojan horse in the ante delictum phase must be considered permissible for two reasons. On the one side, the explicit reference in Article 226 to the expression «including by telematic means» would recall the establishment of telematic interception in Article 266-bis CCP, in relation to which, as seen above, the Italian Court of Cassation allows the use of spyware. On the other side, since Article 226 refers to the types of interception that can be carried out during the criminal proceedings (Article 266 CCP), the use of spyware must also be allowed in the preventive phase. It follows that, although not expressly provided for in the provision, preventive interception by means of trojan virus would be perfectly legitimate, since it is implicitly included among the possibilities of the provision itself, which extends its scope to all types of judicial interception provided for in the Code of Criminal Procedure. Finally, with regard to the activities other than interception, which have not been expressly regulated by the legislator in the context of criminal proceedings, the Italian doctrine seems to exclude the possibility of using computer interception. In other words, if the only type of “legal” interception device is the one that allows only the interception of communications, it must be affirmed that all other activities carried out by means of Trojans cannot be considered legitimate, both in the repressive and in the preventive phase.
C) As mentioned above, intelligence interception is regulated by Article 4 and 4-bis of Law No. 144 of 27 July 2005. In this case too, as in the case of “interceptions ante delictum”, the law makes no explicit reference to the possibility of using spyware as a means of carrying out intelligence interceptions. However, the question arises as to whether, in the absence of an explicit reference, spyware may nevertheless be used in the course of intelligence interception. In this respect, it is important to note that, prior to the adoption of Law No. 197/2022, Article 4, with regard to the subject matter of intelligence interception, referred only to the provisions of paragraph 1 of Article 226 implementing provisions CCP, i.e. to preventive interception. Currently, on the other hand, the subject of intelligence interception is regulated in a completely autonomous manner, being identified with «the interception of communications or conversations, including by telematic means, as well as the interception of communications or conversations between persons present, even if these take place in the places referred to in article 614 of the Criminal Code» (Article 4). However, the amendment to the law does not change the subject matter of the interception, and therefore the same arguments that we have described above with regard to the admissibility or otherwise of the use of the trojan horse in ante delictum interceptions can be used here. In brief: although the law does not explicitly allow the use of the trojan horse in the intelligence interceptions, some authors, by way of interpretation, allow this possibility.
A) In the context of criminal proceedings, Article 267 CCP lays down the necessary conditions for ordering a wiretap, stating that «the Public Prosecutor shall require the Preliminary Investigation Judge to issue an authorisation for ordering the activities
referred to in Article 266. The authorisation shall be given by reasoned decree if there is serious suspicion that an offence has been committed and the interception is absolutely necessary to continue the investigation» (paragraph 1). With specific reference to the use of spyware as a form of interception of face-to-face conversations by means of a portable electronic device, the same paragraph further provides that the order of the judge in charge of the preliminary investigation must «set out, with an independent assessment, the specific reasons that make this modality necessary in concrete terms for the conduct of the investigation; and, in the case of proceedings for offences other than those referred to in article 51, paragraphs 3-bis and 3quater, and for offences committed by public officials or employees against the public administration for which the penalty is not less than five years' imprisonment, determined in accordance with article 4, the places and times, even indirectly determined, in relation to which the activation of the microphone is authorised».
B) In the context of preventive interception, Article 226 implementing provisions CCP confers the power to request preventive interception on the Minister of the Interior or, by his delegate, on the heads of the central services referred to in Article 12 of Decree-Law No. 152 of 13 May 1991, converted with amendments by Law No. 203 of 12 July 1991, and on the Questore or the Provincial Commander of the Carabinieri and the Guardia di Finanza. The request shall be addressed to the Public Prosecutor of the Court of the main town of the district in which the person to be intercepted is located or, failing that, of the district in which the need for prevention has arisen, who may authorise the interception.
C) With regard to the intelligence phase, Article 4 of Decree-Law No. 144 of 27 July 2005 assigns to the President of the Council of Ministers the power to authorise the Directors of the Security Intelligence Services referred to in Article 2, paragraph 2, of Law No. 124 of 3 August 2007 to request authorisation for the interception of communications or conversations, including by telematic means, as well as for the interception of communications or conversations, even in the places referred to in article 614 of the
Penal Code, if this is deemed necessary for the performance of the tasks entrusted to them by articles 6 and 7 of law no. 124 of 3 August 2007. The authorisation shall be requested from the Public Prosecutor's Office at the Court of Appeal in Rome, that shall
grant the authorisation if the conditions laid down in Article 4-bis are fulfilled.