Jusletter IT

The term “governance” means a complex system of social regulation which applies in many sectors¹. We can argue that such complexity also afflicts the concept of “public governance” which can be tackled under at least four different aspects. Indeed, it can be considered by the institutional level of involved authorities (international, national, local), it can be analysed by the mixed composition of public powers as defined by the traditional political science (legislative, executive, judicial), it can be also structured as an effort to coordinate beneficially the impartiality of public authorities with the interests of private entities (stakeholders) and, finally, it can be integrated by the intertwin of legal regulation and technological procedures. Concerning this last aspect. In this contribution we address these last two aspects, the latter having become nowadays very tightly connected².

It might be said that nowadays an effective “public governance” cannot be achieved unless including a thorough technological assessment and, in particular, developing a strategic approach towards information technologies. On this regard, it is noteworthy that this topic has been conceptualized as “data governance” and has been recently defined as “power relations between all the actors affected by, or having an effect on, the way data is accessed, controlled, shared and used, the various socio-technical arrangements set in place to generate value from data, and how such value is redistributed between actors”³. About that there is a lively discussion among experts on many aspects, as guiding principles⁴, scope⁵, components⁶, challenges⁷, economic impact⁸. Data governance, to sum up, defines the policies to adopt in the deployment of technological infrastructures in order to improve the quality of data.

The European Union is shaping its own “data governance”. The year 2020 perhaps will be remembered not only for the pandemic disease, but also for having been a turning point in European history for the extraordinary improved effort put by the institutions in pushing towards innovation, as emerges in COM (2020)66⁹. The strategy outlined in this document has been recently made a first significant step further with the proposal of the “Data Governance Act”¹⁰, which will create a new legal framework in which new actors will intermediate the exchange of data, increasing the reliability of the entire ecosystem. Among the many provisions included in the proposal, it is noteworthy the fact that data can be shared not only for profit, but also for general interest, which is defined as “data altruism” (Art. 2(10)) when processing can be delegated to special entities, namely “data altruism organisations” (Art. 15). Therefore, we can argue that this EU Regulation, if it will come into force, will not only guarantee the availability of public-owned data, allowing for example its re-use, but also widen their employment, increasing their added value for customers and companies.

The need of a more structured governance, as a crucial component in the process of digitalization, has emerged even in the judicial sector, especially with regard to electronic evidence. Indeed, among the many initiatives included in the “E-Justice” Strategy which have been implemented in last years¹¹, recently it has been pointed out the benefit deriving from a comprehensive harmonization¹² of existing services and platforms. Specifically, the most recent initiatives aim at integrating the exchange of data concerning evidence into the E-Codex platform¹³, creating specific standards and ontologies¹⁴. Thanks to this approach, many improvements have been made after 20 years since the “Budapest Convention” of the Council of Europe¹⁵, which symbolically constitutes the certificate of birth of international cooperation in this field.

The technological innovation which, according to some inspiring perspectives, is continuously accelerating¹⁶, afflicts many aspects of our society. This trend has a significant impact on criminal investigations, since it can be claimed that digital forensics have inevitably become crucial in most of them¹⁷.

In the near future, forensic experts will face many new challenges, especially with the massive adoption of IoT (Internet of Things) technologies. Indeed, in such a digital ecosystem the number of potentially interconnected devices, their vulnerability, the volatility of the storage units and the continuous exchange of information on open networks represent the major factors that greatly reduce the quality of the information available and which therefore limits the acquisition of genuine and reliable evidence. We argue that viable solutions, in this scenario, are made possible not only by enhancing the coordination among investigating authorities, by strengthening the cooperation among enforcement agencies and by the creation of interoperable systems and common standards – as designed by EU strategy – but also extending the actors involved in the process in order to include manufacturers, developers and distributors, on the one hand, and integrating automated processes of collection of relevant data, on the other. Therefore, we claim that an effective “data governance” has become vital in IoT forensics.

Our contribution envisages a model of data governance of electronic evidence suitable to be implemented in the EU framework and applied to IoT devices, whereby the creation of a public-private partnership based on a certification scheme combined with a third-party key escrow model. Indeed, we believe that the quality of the information carried by each single IoT device and exchanged in its environment can be standardized similarly to what happens in other technological sectors (e.g., certification of energy consumption by electric devices, cybersecurity clearance for 5G infrastructures¹⁸). Moreover, we deem that an independent agency would be optimal for issuing certifications and for monitoring the compliance with the said standards (as recently proposed in the field of artificial intelligence and robotics by the European Parliament¹⁹), acting as an impartial agent towards investigative authorities, judicial administration, public prosecutors and defendants.

The reminder of this contribution is as follows. In Section 2 we analyse our first tenet, namely the cooperation between public authorities and the private sector focusing on the field of ICTs, in order to remark the fact that this model is not entirely unknown and could be reliable also in Digital Forensics. In Section 3 we deepen the second assumption, regarding the intertwin between legal regulation and technological processes, showing how the acquisition of electronic evidence from IoT devices could be simplified and automated implementing a third-party escrow schema based on the extraction of data coupled with a HASH function. In the conclusion we balance drawbacks and benefits and offer some final evaluations.

Twenty years after the aforementioned Budapest Convention on Cybercrime, many things have changed. Legislators worldwide have adopted new approaches to regulation, increasingly implementing “soft law” techniques. Such a trend, which can be claimed as parallel to the spreading of “governance” methods, originated as an instrument of self-regulation of international commercial relations and is characterized by the fact that rules are spontaneously respected by the interested parties, creating trust towards the environment in which they operate, thus reinforcing their strength. In other words, the effectiveness of the regulation is based on the accountability of the stakeholders²⁰.

The so-called “soft law” has been used by the European Union since its awakening in order to harmonize the legal systems of the Member States and, increasingly, as a tool for regulating the internal market. In this second case, and especially in the technological sector, this regulatory approach has shown remarkable results due to the integration of legal rules and industrial standards. Indeed, the duty of assuring certain levels of quality in products and services has been delegated to specific agencies, vested with the authority of issuing certifications to manufacturers in order to enable them to compete with each other in the EU market. Through this model, market regulation has been able to achieve a flexibility and a proactivity that would have been impossible with legal provisions based on the binominal obligation / penalty brought by traditional general theory of law²¹.

It is remarkable to point out some cases in which such a model has already been deployed. Indeed, the certification model is contained in several recent pieces of legislation, as the “Cybersecurity Act” of 2019²² whose article 48 contains a request to ENISA propose a European cybersecurity certification scheme (ECCG), or the GDPR, which allows the creation of codes of conduct for operators in a given economic sector (article 40 GDPR) and the use of product and service certification mechanisms (article 42 GDPR)²³. Moreover, a recent proposal of Regulation²⁴ describes a procedure for requesting an ethical certification for “high risk” technological artifacts deploying artificial intelligence, robotics and related technologies. We can argue that the European Union has shown to be keen to a broader adoption of the certification model because it allows a proactive approach to “future-proof solutions”.

As mentioned in the introduction, the exponential surge in the number and variety of electronic devices makes it necessary and urgent to change the traditional approach to Digital Forensics. Indeed, it is not foreseeable that the procedures provided by current Computer Forensics will still be adopted in the field of IoT, however agreed by the community of experts they might be. Moreover, it is unacceptable that any new approach could end up reducing fundamental rights and individual freedoms and allowing an arbitrary exercise of power by police authorities. One of the first objectives of “data governance” in this field should be to raise awareness in public opinion and stakeholders that the quality of forensic data is a value to be pursued in all circumstances, not depending on the possibility of a trial, and that it concerns everyone, not just those who may per involved in it.

We believe that the simplest way to obtain this result is to establish that IoT devices – those fulfilling binding requirements – entering the European market should comply with certain standards, including the possibility to create a forensic copy of their storage units in the most complete way. It goes without saying that it is very unlikely even to enter such a negotiation with global players at national level. Therefore, we can hypothesize the institution of an agency of sort by the EU, which in this contribution we will call EECA (Electronic Evidence Certification Authority), or the empowerment of existing authorities already operating as a EU organism (e.g., ENISA). This entity would essentially be responsible for verifying that the devices introduced in the EU market comply with the required technological standards. In a nutshell, it would attribute to market operators a kind of accountability that otherwise they would not have.

The essential purpose of EECA is to neutralize a twofold conflict: between investigative authorities and manufacturers, on one side, and between prosecutors and defendants, on the other. The first pertains to the direct access to devices, which is claimed by officers, especially in criminal investigations, on one hand, and it is refused by manufacturers to avoid intrusions on industrial secrets and strategic know-how, on the other. As examples in this sense, we can mention the “Clipper Chip”²⁵ dispute of the Nineties and the more recent one between F.B.I. and Apple in the aftermath of the San Bernardino attack of 2015²⁶. The second regards the risks of contamination and manipulation of the source of evidence, since EECA would be vested with the maximum impartiality towards each actor involved in a trial. We believe that the trustworthiness of the agency, under these two aspects, would be based on the fact that its role is merely technical, so less prone to be strumentalized or manipulated. In our proposal the balance of the conflicting interest is obtained by the fact that detectives do not access the device but the forensic copy extracted which is owned by them. The same copy remains available for disclosure according to the defendant’s rights granted by the criminal procedure system of the Member State where the trial is based.

In order to explain the technical details of our proposal, we offer a preliminary outlook on the most common issues emerging in an ordinary workflow in which a physical device is analysed for forensic purposes, then we describe a valid solution that has been actually deployed in the Netherlands. After that, we outline our proposal briefly describing its technical details and the resulting procedure of collection of electronic evidence. Our proposal can be represented as composed by a two-layered model, the first being a “security mark” that manufacturers should be required to obtain for their IoT devices in order to market them within the EU, while the second is qualified by the implementation of a HASH function to the data extracted from the target device.

Let’s assume that a device is legitimely seized during an investigation. To begin with, after having acquired the device law enforcement agents should have to carry them to a laboratory which should be available in a reasonable time, ready to operate, supplied with cutting-edge – and so, expensive – technologies, geographically near to the prosecutors’ offices where investigations are being conducted or to the courts where trials will be held. Needless to say, sometimes in real life these preliminary conditions aren’t always concurring at the optimum combination. Secondly, after the analysis, the laboratory should return the device to requesting officers together with a report listing the performed technical operations and describing the results obtained. About that, concerns can arise from the reliability of tools employed, especially due to the fact that manufacturers or distributors usually introduce built-in security measures to protect information contained in their products or services. In other terms, every forensic data extraction is done bypassing such hurdles, mostly without the cooperation of the producers of the devices²⁷, and overcoming many other difficulties, such as exploiting “0-day” vulnerabilities, or adapting to different models which, although bearing the same name, are constantly improved and released into the market²⁸, or even to different operating systems, which are monthly, even if slightly, upgraded. Lastly, since normally the detectives and the technicians of the forensic laboratory cover different roles and develop different expertise, the firsts being the only one aware of the context of the investigation, and the seconds dealing only with the task to extract data, it might be that some information obtained could be useless to the investigators, or, conversely, that analysts could have overlooked essential information.

There have been many initiatives aimed at simplifying the workflow while strengthening the “chain of custody” of electronic evidence. Among them, remarkable in our view is the solution elaborated by a group of scholars in 2006 and implemented in the Netherlands since 2012²⁹. In this model, detectives are enabled to upload any sort of data – so called “traces” – into a cloud archive owned by central laboratory, where they can be remotely analysed by experts, thus the concept of “forensics as a service”, thus allowing law enforcers to obtain timely intelligence suitable to be exploited in the early phases of investigations. Namely, when they can be more effective in solving them.

Among the many advantages of the model just mentioned, there is a feature that can be improved, which pertains to the topic of this year’s IRIS conference: the “data governance” of electronic evidence. Such centralized model, indeed, could be optimal in most cases, but – at least – it lacks flexibility and adaptability to specific conditions. Furthermore, it does not define a proactive and comprehensive strategy which could provide a concrete and enduring benefit for the whole system. In other words, we believe that when it comes to IoT forensics, decentralization and scalability should be prioritized as leading organizing principles, as well as design specifications should be adopted by manufacturers in order to automate extraction of data featured by high quality.

These further conditions can be obtained introducing the “security mark” as anticipated in the introduction of this section. We propose that manufacturers could be requested to submit their products to the approval of the EECA as a prerequisite to introduce them into the EU market. In order to obtain such certification, the design of IoT devices should include a cloud service which should be available for the extraction of a “forensic copy” by law enforcers. It is remarkable, in this model, that detectives do not access the devices directly, neither opening them physically nor manipulating their content, being their activity limited to connect the device to a certified pc and extract the certified copy of archived data. To sum up, the access granted to investigative authorities should have no “write” authorization (only the extraction of data), should be allowed only under specific conditions (mainly an authorization issued by a judge) and should be limited to a defined outcome (the forensic copy of the archive). Defendants, of course, should have the same privileges.

The second layer of certification is granted by applying a HASH function to the data extracted in order to guarantee the genuinity of the forensic copy. In this paper we can define a hash function as an efficiently computable³⁰, collision free³¹ and not invertible³² mathematical function which takes any string as input, and produces a fixed-size (i.e., 256 bit) string as output. Such a definition allows to stipulate that:

1. Any file of any length (a single image, a text file, or an entire bitstream copy of a hard disk) can be mapped in a fixed-length string³³. The time needed for this “transformation” depends on the size of the original data stream, and goes from a few seconds to some minutes;
2. Even if surely different strings of bits can collide to the same HASH, since the number of possible n-bits strings are limited to 2ⁿ whereas the number of possible inputs of the hash function is virtually infinite, there are no known algorithms suitable to find 2 different strings with the same HASH. The consequence is that, starting from a data stream, nobody can (that is, there aren’t computers able to) find a different data stream with the same HASH. Applied to our certification framework, this property ensures us that we can’t “duplicate” our extracted data with another set of data having the same HASH.
3. It’s impossible, from a given hash, to obtain the data stream which has that hash as output. This means that, starting by the hash of data extracted from a device, nobody can reconstruct the content of the device itself.

A mathematical function with the three properties just described can be used also to mark a digital content of whatever length, since once done this, it would be impossible for someone both to understand which is the original starting set of data, and to produce (in acceptable time) another set of data with the same HASH.

This last feature is the main reason why the HASH function is well-known by scholars and practitioners, especially in information security and moreover forensic analysis. Indeed, it is applied to the data collected in order to assure the genuinity and integrity of evidence³⁴. We suggest that a HASH string should be automatically generated by the process of extraction from the cloud of the IoT device inspected, and at the same time made available to detectives and directly sent – or uploaded – to a database owned by the EECA.

The result of the process would be threefold. First, investigative authorities do not need direct access with the device – in fact, they do not need even physical contact with it – since the acquisition of data does not require its apprehension, thus manufacturers are not required to share trade secrets or technical details with governments or companies. Second, since the generation of the HASH string is automated, it cannot be influenced by any human intervention, so tampering evidence becomes very improbable. Third, the EECA operates as third-party escrow of the HASH function, namely the only piece of information the genuinity of the evidence depends on. Each interested party – defendants, in primis – should be allowed to access the EECA archive – even remotely, of course – in order to verify the concordance between the HASH string associated with the forensic copy of the IoT device storage and the HASH string registered in the EECA database. A match between the HASH strong enclosed in the prosecutor’s office casefile and the HASH string recorded in the EECA database should warrant the integrity of the electronic evidence.

Despite how far and improbable might be the moment in which our proposal becomes effective – we are fully aware that introducing a technological standard or a certification scheme is a very complex matter – the fact is that the EU is moving towards a wider adoption of both “governance” and “soft law” approaches as a way to implement the principle of “proportionality” (Article 5(4) TEU) while it is increasing the integration between traditional legislation and technological standards in order to maintain a flexible and adaptable approach to complexity. In our model, the challenges presented by IoT forensics can be addressed as a matter of “data governance” within the same institutional framework described.

Of course, there are some disadvantages: to begin with, cloud storage would be sustainable only for some kind of devices (e.g., TV, video surveillance) or some sort of data (e.g., images, geotagging) or purposes (e.g., public tenders, high risk infrastructures), not for every kind of device introduced in the EU market, thus the range of data collection is significantly limited. Secondly, the HASH signature could become obsolete with the introduction of new technologies, such as quantum computation, therefore another technology should be adopted. Finally, the creation of EECA will increase the already significant number and variety of EU institutions, if not overlap or duplicate with existing competences (ENISA, at least). We believe that these drawbacks can be properly addressed and that our proposal could be integrated into the ongoing development of E-CODEX.

There are also possible further implementations or variants to be considered: the certification could be voluntary in some cases and obligatory in others, EECA could result by the coordination of country-based delegations or agencies in order to increase decentralization and avoid bottlenecks, the process of extraction could be limited to specific data instead of aiming at copying the whole archive in order to better comply with privacy requirements, the data extracted could be formatted in an XML schema in order to include them into current ontologies and increase the automation of the whole ecosystem.

In the future we intend to deepen the details of our proposal and improve its technical accuracy.

This chapter is the result of joint research of the co-authors. Specific individual contributions can be attributed as follows: Federico Costantini, paragraphs 1, 2; Fausto Galvan, paragraph 3 and 4. The authors express their gratitude to Marco De Stefani for his precious suggestions.

• Governance, n.: Oxford English Dictionary. 3, Oxford, Oxford University Press, 2015.
   
• Abraham, Rene/Schneider, Johannes/vom Brocke, Jan, Data governance: A conceptual framework, structured review, and research agenda, International Journal of Information Management, volume 49, 2019, p. 424–438.
   
• Al-Ruithe, Majid/Benkhelifa, Elhadj/Hameed, Khawar, Data Governance Taxonomy: Cloud versus Non-Cloud, Sustainability, volume 10, issue 1, 2018, p. 95.
   
• Alhassan, Ibrahim/Sammon, David/Daly, Mary, Data governance activities: an analysis of the literature, Journal of Decision Systems, volume 25, issue sup1, 2016, p. 64–75.
   
• Attard, Judie/ Brennan, Rob, Challenges in Value-Driven Data Governance. In: Panetto Hervé, Debruyne Christophe, Proper Henderik A., Ardagna Claudio Agostino, Roman Dumitru, Meersman Robert (Eds.), On the Move to Meaningful Internet Systems. OTM 2018 Conferences, Lecture Notes in Computer Science Springer International Publishing, Cham, 2018, p. 546–554.
   
• Biasiotti, Maria Angela, A proposed electronic evidence exchange across the European Union | Digital Evidence and Electronic Signature Law Review, Digital Evidence and Electronic Signature Law Review, volume 14, 2017.
   
• Engels, Barbara, Data Governance as the Enabler of the Data Economy, Intereconomics, volume 54, issue 4, 2019, p. 216–222.
   
• Floridi, Luciano (Ed.), The Onlife Manifesto. Being Human in a Hyperconnected Era, Open Access Springer International Publishing, Cham 2015.
   
• Kurzweil, Ray, The singularity is near. When humans transcend biology, Gerald Duckworth, London, 2005.
   
• Lakshmi, K. Aishwarya/Honnavali, Prasad B./Rajashree, S., Ensure the Validity of Forensic Evidence by Using a Hash Function, Inventive Communication and Computational Technologies, 2021, 341–46 https://doi.org/10.1007/978-981-15-7345-3_28.
   
• Micheli, Marina/Ponti, Marisa/Craglia, Max/Berti Suman, Anna, Emerging models of data governance in the age of datafication, Big Data & Society, volume 7, issue 2, 2020, p. 2053951720948087.
   
• Roussev, Vassil, Hashing and Data Fingerprinting in Digital Forensics, IEEE Security & Privacy Magazine, 7.2 (2009), 49–55, https://doi.org/10.1109/MSP.2009.40.
   
• Velicogna, Marco, E-Justice in Europe: From National Experiences to EU Cross-Border Service Provision | SpringerLink. In: Alcaide Muñoz L., Rodríguez Bolívar M. (Eds.), International E-Government Development Palgrave Macmillan, Cham, 2020, p. 39–72.