A ministerial decree cannot amend the Code of Criminal Procedure and the public prosecutor already has the power to search from a distance, deciding what to seize and what not to. The comment of Andrea Monti, professor of Law of public order and security, University of Chieti-Pescara – Initially published in Italian by Formiche.net
The ‘Trojan Decree’ —actually, a decree that sets the costs of the mandatory assistance that ISPs and Telcos provide to the prosecutor office— has triggered fierce controversy. According to some, it would have made it possible to automatically acquire, during an interception, also ‘static’ data such as the list of contacts and the contents stored in a smartphone or othe mobile devices. The settlement of this controversy was a political compromise according to which it would be possible to acquire contents of a mobile device only through a physical search and seizure.
This compromise makes no sense for various reasons.
Firstly, there was no need to state the obvious. In paragraph I bis of Article 247, the Code of Criminal Procedure already regulates the remote computer search and seizure as established by Law 48/2008 implementing the Budapest Convention on Cybercrime. The problem, therefore, are different. How is it that to intercept with the Trojan, the prosecutor must ask for a Court authorisation, while to ‘exfiltrate’ the files using the same instrument, only the prosecutor’s decree is sufficient without any court oversight? How is it possible to guarantee the righs on the non-alteration of what is seized at a distance, if the suspect does not even know that he is subjected to the search and seizure? How it is possible to carry out a search and seizure at a distance without notifying the suspect of what is going to happen? However important, these issue were not even taken into consideration.
Secondly, also the concerns expressed about the Trojan’s further exploitation through the decree on the costs of ISPs mandatory services are challenging to understand. A ministerial decree does not have the power to derogate from a state law. In other words, an executive’s act cannot contain phrases such as “without prejudice to the provisions of law XYZ” because there is no way it can amend an act of Parliament. Adding such a period to the Trojan Decree is, therefore, unnecessary. This unfamiliarity with the system of legal sources, however, is not new. For example, the Dpcm 131/2020 on national cyber security used in Article 4 a similar sentence as if a prime minister’s measure could derogate from a law of the State. One wonders whether this is an oversight or a particular technical choice aimed at extending, if not now, then in the future, the executive’s power, as already happened last year with the Dpcm used to manage the pandemic and the Huawei case.
Finally, also if the list of mandatory services fixes a price for the acquisition of the contents of a mobile device, it is always necessary to comply with the (already existing) rules of the Code of Criminal Procedure.
Summing up:
- a ministerial decree cannot modify a law of the State, which already provides for the decree of the public prosecutor also for remote search and seizure;
- guaranteeing the suspect’s right of defence in both remote search and seizure is, by contrast, an open issue. While in the case of in-person seizure the suspect is notified of the order and has the right to participate in the operations with the assistance of a trusted person, in the case of remote search and seizure we are dealing with acts carried out without the suspect’s knowledge.