Venice Commission - Report on a rule of law and human rights compliant regulation of spyware
www.venice.coe.int
Disclaimer: this information was gathered by the Secretariat of the Venice Commission on the basis of contributions by the members of the Venice Commission, and complemented with information available from various open sources (academic articles, legal blogs, official information web-sites etc.).
Every effort was made to provide accurate and up-to-date information. For further details please visit our site : https://www.venice.coe.int/
1. Does your legal framework allow for the use of spyware as a tool of targeted surveillance either in criminal or intelligence investigations or is there an explicit prohibition on the use of spyware? If so, how does your domestic legal framework define spyware?
Kosovo’s legal framework contains no express reference to the employment of spyware as a method or tool of targeted surveillance. This way, it is also silent when it comes to its definition. Neither the Criminal Procedure Code nor any other relevant pieces of legislation, including the Law on Cyber Security, presently contain any definition of spyware. This being the case, the present legal framework contains no explicit prohibition on the use of spyware as such.
2. Are there specific rules (covering notably the scope ratione materiae, temporis and personae) in place or do the general rules on targeted surveillance (interception of communications) apply (could you please provide us with such specific or general rules)?
In the absence of specific rules relating to spyware, the more general rules regulating targeted surveillance, more specifically interception of communications, are the only rules that fill the void and should apply at least until more specific provisions are in place. They are essential to safeguarding the human rights and fundamental freedoms and at the same time serve the most essential purpose of legal certainty.
3. What kind of data, if any, could be collected with spyware?
As now indicated, the underlying feature of Kosovo’s present legal framework is its silence or absence of specific provisions relating to spyware. However by way of a broader reading of the relevant legislation, it is to be understood that any collected data through means of electronic communication can only be permitted as far as they are justified on the grounds of criminal procedure proceedings and national security considerations.
4. Has there been any official evaluation of the need for, or added value of, spyware?
To this date, there has been no evaluation of the need for, or added value of, spyware. One would think that the National Cyber Security Strategy would be the right instrument to evaluate such a need or discern its proper value and define its place in the legal and institutional framework of the country. However, no such analysis can be found in this strategic document. And obviously the same applies to other potentially relevant documents.
5.Who authorises/approves measures of targeted surveillance in criminal and intelligence investigations (judiciary, executive, expert bodies, security services)?
There are two sets of procedure, each applicable within its own context: (1) targeted surveillance in criminal procedure, and (2) targeted surveillance in intelligence investigations. The latter one is also known by domestic law as surveillance for the security needs of Kosovo and its citizens. In principle, both contexts require authorization / approval by a court order, however with certain specific nuances and limited exceptions as spelled out below.
6. What are the national oversight mechanisms in place in your country for the activities of the security services (are they judicial, parliamentary, executive, or expert)? Do these bodies have (binding) remedial powers?
In the case of intelligence surveillance, the law provides for a parliamentary oversight mechanism. In other words, the oversight of the Kosovo Intelligence Agency is conducted by an oversight parliamentary body, whose mandate is determined by law and its composition set forth in the Rules of Procedure of the Assembly.
7. Does a post-surveillance notification mechanism exist? Are there any other remedies available for individual targeted by measures of targeted surveillance?
There is no specific post-surveillance notification mechanism other than the oversight institutions and processes indicated above. At an institutional level, the Commissioner for the Oversight of Interception of Communication through its monitoring powers can exert post-surveillance effects. In cases where violations are found by the Commissioner, then the Kosovo Judicial Council addresses them to the Panel for Examination and Investigation based on Criminal Procedure Code, whereas the General Inspector of the Intelligence Agency addresses them based on competences prescribed in the Law on the Intelligence Agency.
Kosovo
None of the relevant legal instruments such as the Law on Cyber Security or the Criminal Procedure Code are by any means old pieces of legislation. The Law was adopted in 2023, whereas the Code in force was adopted in 2022. Other relevant pieces of legislation are likewise relatively recent. In this context, the lack of detailed provisions on the more modern means of technology is somewhat surprising. This is however not to say that the present framework is insufficient or incapable of addressing any problems of substance or procedure when it comes to dealing with situations resulting from the use of spyware. A whole set of provisions and procedures are in place in relation to computer and related systems.
A number of more specific pieces of legislation deal with aspects of content and procedure that are linked to surveillance. Such are the Law on Interception of Electronic Communications of 2015, the Law on the Kosovo Intelligence Agency of 2008, and the Law on State Border Control and Surveillance of 2012.
The only instrument that contains a rather technical reference to spyware is a strategic document of the government rather than a legal instrument. This is the National Cyber Security Strategy 2023-2027, which also does not define spyware; however, it includes it as part of its descriptive definition relating to "malicious software or malware". More specifically, malicious software or malware is conceived in the following terms:
"Means malicious software designed to infiltrate or damage a computer system without the owner’s consent. Common forms of Malware include computer viruses, worms, Trojans, Spyware, adware, etc."
This is the only explicit reference of Spyware to be found in any institutional document.
The Law on Interception of Electronic Communications is concise in terms of the reasons for which any measure of targeted surveillance can be permitted. There are two exclusive legal grounds that could justify any interceptive measure, namely:
1. Interception for the purpose of criminal procedure; and
2. Interception for the security needs of the Republic of Kosovo and its citizens.
The specific ground notwithstanding, the Law is clear in setting out the core principles that ought to be observed at all times, which is: (1) the respect for human rights and fundamental freedoms recognized and guaranteed by the Constitution and the European Convention on Human Rights and Fundamental Freedoms, including the judicial practice of the European Court of Human Rights, and (2) the prohibition of interception without a lawful order issued by a competent court.
Another set of subsidiary principles are also laid down by law and are mandatory for courts to be taken into account when taking the decision for interception, namely: the essence of rights and freedoms of persons for whom a request for interception has been made; the significance and necessity for interception, and proportionality; the nature, means and the extent of interception; the relationship between the aim to be achieved and the possibility of achieving it through employing other investigative methods; and secrecy and objectivity in the process of interception. Of comparable relevance and legally binding as well, any measure of interception or targeted surveillance is ought to be seen as a means of last resort and be granted only after "other investigative actions for the collection of information have been exhausted."
When it comes to the kind of data, the Law on Electronic Communications is instructive, as it contains a definition, providing as follows: "Data shall mean all data related to communications that are subject to lawful interception order, including, inter alia, time, duration, source, destination, location and type of broadcast equipment or acceptance involved in communications, but excluding the content of a communication."
The present Cyber Security Strategy has a four-year lifespan, covering the period between years 2023 and 2027. In this connection, it is a rather missed opportunity to delve into such critical dimensions of cyber security.
Of course, the National Cyber Security Strategy is not a static document and it can be both reviewed and revised. Other alternatives also exist, including the possibility of developing a ministerial or governmental concept paper that could in turn inform and dictate any subsequent legal and institutional changes.
In the case of criminal procedure, the surveillance measures are authorized through a court order upon request from the state prosecutor. According to the Law on Interception of Electronic Communications, "the Kosovo State Prosecutor is the only authorized institution to submit request for lawful interception of electronic communications before the competent court" which is the basic court. However, a number of institutions are entitled to propose such requests to the Prosecutor’s Office for lawful interception in the context of criminal procedure, namely the Police, the Customs, the Police Inspectorate, and the Tax Administration. The provision that sanctions the competent authority to order surveillance measures provides as follows: "The measure of electronic communications interception, including text messages or other electronic messages, interception of communications through computer networks shall be ordered by the court upon the request of Kosovo State Prosecutor."
One should note that there is a temporary exception to this rule in connection with a criminal procedure, which allows for the possibility that, in urgent criminal cases, the measure can be authorized by a provisional order issued in writing by the Kosovo State Prosecutor: "In urgent criminal procedures, the competent authority to order in writing the provisional interception measure shall be the Kosovo State Prosecutor." This exception is permitted by the Criminal Procedure Code, which provides: "Exceptionally, the state prosecutor may temporarily order one of the measures ... only if there is a risk of delay and if the state prosecutor has reason to believe that he will not be able to obtain an order of the pretrial judge on time, and he shall notify the court immediately, but not later than twenty-four (24) hours from the moment of issuance of the order. Such temporary order shall cease to have effect unless it is confirmed in writing by the pretrial judge within seventy-two (72) hours of its issuance. When confirming the temporary order of the state prosecutor, the pretrial judge shall ex officio make a written assessment of its
legality. If the court accepts the order of the prosecutor, it shall then confirm the order for special investigative measure." The same content is reflected in the Law on Interception of Electronic Communications: "The provisional order ... shall cease its effects and any information or evidence collected during this period shall not be lawful if such order is not confirmed in writing from the competent Judge within three (3) days from the issuing of such order" and that such provisional orders cannot be repeated.
In the case of intelligence investigations, the demanded authorization ought to be given by a Supreme Court Judge upon a request from the Director or Deputy Director of the Kosovo Intelligence Agency. The procedure is detailed in the Law on the Kosovo Intelligence Agency (KIA). The relevant legal provision provides as follows: "Surveillance in non-public places, or where the parties might reasonably expect to have privacy, the surveillance of telecommunications, and all other forms of electronic surveillance, as well as the entry into property without consent of the owner or temporary occupant, may only be used in cases where there has been an advance authorization by a Supreme Court Judge which shall only be granted upon the review of a written application made under oath and approved by the KIA Director or Deputy KIA Director." In such cases, the Supreme Court Judge is bound by an obligation of secrecy with respect to the information gained.
The Law also provides for the possibility of emergency surveillance orders, which are granted orally, and subsequently confirmed in writing by a Supreme Court Judge: "In an emergency situation, when time does not permit the preparation of a written application by the KIA Director or Deputy KIA Director or the granting of a written order by a Supreme Court Judge, the application may be made and the order for covert surveillance granted orally, to be confirmed in writing within forty-eight (48) hours." This procedure is also referenced in the Law on the Interception of Electronic Communications in connection with the security needs of the country and its citizens. It provides: "Interception for the security needs of the Republic of Kosovo and its citizens are carried out in accordance with the Law on Kosovo Intelligence Agency, following the issuance of a Court Order from a Supreme Court judge."
The parliamentary oversight body holds sessions at least bi-annually. Its responsibilities include, inter alia, overseeing the legality of the work of the Intelligence Agency, reviewing reports from the Director of the Intelligence Agency regarding the operations of the Agency and the reports from the Inspector General, as well as conducting inquiries regarding the work of the Agency. "If the parliamentary oversight body has grounds to believe that the KIA is performing its duties in an unlawful, inappropriate or unprofessional manner, it may conduct an inquiry during the course of which the parliamentary oversight body may question KIA employees and have access to relevant KIA documents."
The Law on the Intelligence Agency also provides for a complaints mechanism. Individuals, institutions and third parties have the right of complaint against the Kosovo Intelligence Agency: "Complaints may be addressed to the Ombudsperson Institution," and that any complaint submitted to the Ombudsperson Institution "shall not prejudice the right of an individual, institution or third party to seek adjudication from a court."
Also in connection with the Law on the Interception of Electronic Communications, this law provides for oversight and penalties. The Regulatory Authority for Electronic and Postal Communications is the authorized body to oversee the operation of network operators or service providers and their compliance with the Law on the Interception of Electronic Communications, other relevant laws on interception and any by-laws issued in accordance with these laws. The Authority has a wide scope of powers that extend up to the revocation of licence or authorization of the respective network operator or service provider.
Additionally, the Law on the Interception of Electronic Communications establishes a distinct institution, which is the Commissioner for Oversight of Interception of Communication. The Commissioner is a mechanism functioning within the institutional structure of the Kosovo Judicial Council, and conducts annual control of the lawfulness of interception of communications in accordance with the law. It reports to the Kosovo Judicial Council, to the State Prosecutor and the respective parliamentary committees of the Assembly of Kosovo on annual basis about identified possible violations. The Commissioner is appointed by the Kosovo Judicial Council from among the group of judges of the Supreme Court.
The Commissioner also cooperates closely with the Agency for the Protection of Personal Data and informs the Agency with the findings of the Commissioner’s monitoring report. As now indicated, obviously, affected individuals have access to judicial remedies and can also lodge complaints against public institutions with the Ombudsperson Institution.