Recent terrorist attacks have revealed the dark side of new information technologies. Organizers of attacks, or fighters for the “Islamic State,” have ruthlessly exploited the latest communications technologies. For example, according to media reports, terrorists have arranged attacks via PlayStation tools or encrypted instant messaging services. Polish lawmakers decided to respond to this phenomenon by passing the Anti-Terrorism Act of 10 June 2016.
Existing methods for fighting terrorism have failed the test. Communications between terrorists have moved to platforms that often are not yet recognised by the law. The Anti-Terrorism Act is intended to ensure effective functioning of law enforcement authorities in the area of the latest communications technologies.
Increasing the entitlements of law enforcement authorities in the area of new technologies is bound to generate many controversies, but those controversies are not the subject of this text. Instead, I will focus on the consequences of some of the provisions of the act which electronic service providers may not be sufficiently aware of.
In this context, Art. 9 of the act is particularly notable. It provides the possibility for the Internal Security Agency (ABW) to undertake certain undisclosed operational activities, such as obtaining access to correspondence conducted through electronic communications channels, and accessing and recording data contained in IT data carriers, end-user telecommunications devices, IT systems and teleinformatic systems. This provision sparked controversy from the very beginning of work on the bill, primarily because these operations could be undertaken against persons who are not Polish citizens. Critics of the bill took this as evidence of prejudice on the part of the proponents of the bill. But this provision is also interesting for at least two other reasons.
First, the obligation to ensure ABW the technical and organisational conditions necessary to perform these operations rests not only on telecommunications companies and postal operators, but also on electronic service providers. This is a groundbreaking regulation because the concept of electronic service provider is a sweepingly broad category. It includes, for example, e‑commerce platforms, suppliers of cloud-based solutions, operators of instant messaging services, operators of online gaming platforms, and financial institutions operating online platforms for provision of financial services. This varied group of entities use a range of different technical solutions and are covered by various regulatory regimes.
Under Art. 9 of the Anti-Terrorism Act, electronic service providers will be required, among other things, to ensure ABW access to IT systems and IT data carriers. Few people seem to realise that this provision could theoretically serve, for example, as the legal basis for accessing IT systems of banks or operators of Internet portals, as well as the content of discussions conducted using popular IM services. Suppliers of electronic services should undoubtedly consider adopting internal procedures so that they are in place in the event they receive a demand to ensure ABW the conditions necessary for it to carry out such operations.
Second, under Art. 9(2) of the act, a telecommunications operator or provider of electronic services will be required to ensure ABW the technical and organisational conditions necessary to obtain and record data contained on end-user telecommunications devices. Does this mean that ABW can rely on this provision to force a telecommunications operator or electronic service provider to allow access to data contained on a smartphone, even if it is protected by a password?
Even greater controversy surrounds the new Art. 32c of the Internal Security Agency Act, adopted along with the Anti-Terrorism Act. It introduces a procedure for blocking access, which could apply to access to specific teleinformatic data as well as certain teleinformatic services used for causing an event of a terrorist nature. In this instance, the new obligations are also addressed to electronic service providers. As the drafters used the broad notions of “teleinformatic data” and “teleinformatic services,” theoretically this provision might be used to block entire communications channels, as long as the conditions set forth in the act are met.
This regulation is a good illustration of the more and more visible tendency to impose an increasing number of duties on providers of electronic services. This is an inevitable consequence of the growing importance of these services in contemporary societies. Electronic service providers must begin to adapt their business to keep up with these trends.