OSINT: what admissibility of the information collected in litigation? (4/4)
Content of the case: 4 articles
- OSINT : what are the legal grounds for it (1/4)
- OSINT: lawfulness of the collection and use of information (2/4)
- OSINT: what compliance with the RGPD? (3/4)
- OSINT : what admissibility of the collected information ? (4/4)
Information, although collected during an OSINT activity based on a legitimate legal basis, and carried out under conditions that ensure compliance with legal principles, is not automatically admissible as evidence in litigation.
One must be careful to distinguish between the production of evidence and the admission of evidence.
The following should also be considered:
The source of the piece
The authenticity of the piece
The anonymity or not of the sources
Witnesses’ and victims’ protection
Compliance with applicable legislation
French and European legislation
In French criminal law, the principle is freedom of evidence. This seems to be in line with the admissibility of OSINT reports insofar as Article 427 of the Code of Criminal Procedure states: “except in cases where the law states otherwise, offences may be established by any means of proof and the judge shall decide on the basis of their own conviction. The judge can only base their decision on evidence brought before them during the debates and discussed in the presence of both parties.”
In general, the main actors to provide evidence are the officers, the judicial police officers and the magistrates. However, evidence may be produced by the parties. The Criminal Division of the Court of Cassation considers that the criminal courts may not reject the evidence produced by the parties on the sole ground that it was obtained in an illegal or unfair manner. It is only up to them to assess the probative value of the evidence after having submitted it to the adversarial discussion (Court of cassation, criminal chamber, 2002).
In concrete terms, digital evidence is collected by means of a report (statement of facts, investigation report or report annexation minutes) by the investigators, a note from a specialist assistant or by direct inclusion in the file of documents submitted by the parties.
It should be noted that the evolution of the law of evidence and the principle of trustworthiness in criminal procedures has offered interesting applications of the notion of justifying fact in this area. Jurisprudence has held that the commission of certain offences may be justified if it was strictly necessary for the exercise of the perpetrator’s rights of defense and to produce evidence in criminal or civil cases.
For example, jurisprudence has considered that a husband unduly accused of domestic violence by his wife was entitled to produce, in his defense, a bailiff’s report transcribing in full the recording of a conversation he had with his wife in which she acknowledged the false nature of the attestation she had produced. (Crim. 31 Jan. 2007, no. 06-82.383).
As regards civil law, the Court of Cassation admitted, through a decision of May 18th 2005, the possibility for the judges of the first instance to rely on a private investigation report, admitting at the same time the legality in principle of using this method of proof in divorce cases.
In any event, the mere production of a private investigation report is not sufficient. On the other hand, when it is submitted to the debates in support of, or in addition to, other evidence, it is likely to constitute an additional element to the reality of the adulterous relationship established by one of the partners and therefore to convince the judge.
Ultimately, the main thing, here as elsewhere, is to convince the judge of the existence of the alleged facts. And it can be seen once again that, when it comes to establishing the truth in divorce proceedings, in other words proving fault, the principle of respect for private life rarely constitutes a diriment obstacle .
 Dalloz reference Divorce law and practice – E – Other modes of proof -122.261. Private investigation reports.
In public law, the Conseil d’Etat has held that the public employer is bound by an obligation of loyalty towards its employees and infers that it cannot ‘base a disciplinary sanction against one of its employees on documents that it has obtained in disregard of this obligation [of loyalty], unless there is a major public interest in doing so‘ (CE 16 July 2014, req. No. 355201). The unfairness of the procedures used to obtain evidence is therefore taken into consideration here. This evidence could however be admitted if a major public interest justifies it. In this case, the Conseil d’Etat gave a much less demanding interpretation of the fairness of the evidence by admitting that the sanction could be based on the report of a detective agency if this report was based on “material observations of the behavior of [the agent] during his activity and in places open to the public”.
Regarding global regulation, there are several paths to consider.
The Rome Statute of the International Criminal Court provides in Article 54 that the Prosecutor “shall extend the investigation to all facts and evidences which may be relevant to the determination of criminal responsibility”, without specifying the type of evidence.
Thus, the judges will assess each piece of evidence in a sovereign manner, and for an element to be considered as such it must meet three criteria, namely:
Considering the requirements of a fair trial
In addition, the Berkeley Protocol is the first publication containing global guidelines for public digital data (photos, videos, other information published on social media such as Facebook, Twitter, YouTube) as evidence in investigations of violations of international criminal law, human rights law and international humanitarian law.
It was developed by the Human Rights Centre at the University of California at Berkeley and the Office of the High Commissioner for Human Rights (OHCHR).
It is stated that all those involved are responsible for the security of an investigation and of the people involved. It is therefore important to reinforce the security precautions regarding the infrastructure, hardware, software and networks, but also regarding the behavior of the investigators and of all the people with whom they interact.
These safety assessments should be carried out at three levels:
At the organizational level
At the investigative level or on a specific case
At the level of specific activities and tasks
Protective measures should be put in place to mitigate the risks and threats as identified in the risk assessment of the investigation.
Security assessments must consider all types of prejudice, including digital, financial, legal, physical, psychosocial and reputational. The report finds that some of the greatest vulnerabilities in OSINT investigations are associated with Internet connection data and IP addresses, as well as the broader analysis of user behavior.
Investigators and the investigating agency should undergo continuous security training and deploy safeguards that will evolve over time in response to the changing nature of threats or vulnerabilities.
The protocol sets out professional, methodological and ethical principles:
The professional principles includes the responsibilities, competence, objectivity, legality and safety awareness.
The methodological principles includes accuracy, data minimization, retention and security and be defined as early as the project is defined.
The ethical principles address dignity, humility, inclusiveness, independence and transparency.
This protocol therefore provides broad guidelines for the framework of OSINT use but can serve as a basis for future regulation.
It explains that it is important to determine which laws may apply in order to know what can be collected about a person and by what means. This may also vary depending on the identity of the investigators, the identity of their targets, the purpose and object of the investigation, but also the data collected and the associated legal requirements in the country/countries in question. It will also be important to ensure that the integrity of the data collected is preserved and that the actions taken to obtain the data are documented so that the evidence is admissible in court.
The necessary threshold of digital evidence will vary depending on the type of investigation and its final purpose (criminal proceedings, civil litigation, transitional justice process). However, it should be borne in mind that violation of an individual’s right to privacy may lead to the exclusion of evidence.
Conditions for the legality of OSINT software
When the customer is a private and physical person, the operation of the software must not allow the commission of the criminal law offences mentioned above and according to Article 323-3-1, nor “the fact, without a legitimate reason, in particular research or computer security, of importing, holding, offering, transferring or making available equipment, an instrument, a computer programme or any data designed or specially adapted to commit one or more of the offences provided for in Articles 323-1 to 323-3.”
When the client is a public entity with investigative powers, the software must comply with the rules applicable to that public entity. Finally, the software must be designed in compliance with the GDPR and the Informatique & Libertés law.
The admissibility of information collected via OSINT as evidence in criminal matters therefore remains the prerogative of the judge, but the work in progress on the subject opens the way to more precise regulation of the practice, which would allow a more objective assessment.
The reference texts :
Article 6.1 f of the GDPR (legal basis for legitimate interest)
Article 14.5b of the GDPR (exemption from informing data subjects in case of disproportionate effort)
Article 34 of the GDPR (notification of a data breach to the data subject)
Recital 49 of the GDPR (legitimate interest of network and information systems security)
Article 12 and 14 of the GDPR (information to data subjects)
Articles 323 to 323-8 of the Penal Code (penalties for breaching an automated data processing system).
https://www.legifrance.gouv.fr/loda/id/JORFTEXT000000711604/ (Fir I)
https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000033558528/ (Sapin II law)
The Berkeley Protocol attached
https://www.legifrance.gouv.fr/codes/article_lc/LEGIARTI000037108959/2022-04-21 (Article 427 of the Code of Criminal Procedure)
https://www.icc-cpi.int/sites/default/files/Statut-de-Rome.pdf (Rome Statute of the International Criminal Court)