This module is a resource for lecturers

Data retention, preservation and access

Requests for international cooperation can also be denied because of procedural requirements. Consider, for example, data retention, preservation and access practices. The data retained by Internet and communications service providers (discussed in Cybercrime Module 1 on Introduction to Cybercrime) depends on the providers' terms of service, privacy policies, and business practices (Westmoreland and Kent, 2015). For this reason, variation exists between providers not only concerning the type of data retained (e.g., IP logs or information about deactivated accounts), but also the period of its retention (days, weeks, months or years) (see, for example, Twitter " Guidelines for Law Enforcement" and Facebook " Data Policy" for more information). Data retention, as well as access, also varies according to national, regional and international data protection laws (described in detail in Cybercrime Module 10 on Privacy and Data Protection).

Data preservation requests are made to service providers by law enforcement in an effort to retain data before it is deleted or altered in any way (Sutton, 2016). Access to preserved data is prescribed in national law. The legal orders (e.g., court order or search warrant), if any, needed to obtain various forms of data from service providers differs between countries. For example, while in the United States subpoenas and court orders are needed for non-content data (or metadata; e.g., subscriber data and IP addresses) and a search warrant for content data (e.g., text in emails or other messages) (US Stored Communications Act of 1986; Title II of the Electronic Communications Privacy Act of 1986), Turkish authorities do not need legal orders to access non-content and content data (Internet Law 5651) (discussed in Cybercrime Module 3 on Legal Frameworks and Human Rights).

What is more, the authorities that can access stored and/or preserved data also vary by country. For example, in Kenya, a law enforcement officer or other authorized person (i.e., "a cybersecurity expert designated by the Cabinet Secretary responsible for matters relating to national security") can access preserved and retained data pursuant to Kenya's Computer Misuse and Cybercrimes Act of 2018, whereas in Jamaica only law enforcement officers are authorized to access data (see Cybercrimes Act of 2015).

Furthermore, voluntary disclosure by Internet service providers is allowed without legal orders in certain situations delineated by national law (Sutter, 2016). A case in point is an emergency request for data in order to prevent serious bodily harm or death. If service providers refuse to provide the data requested voluntarily, under certain circumstances, and depending on the case, evidence sought, burden of proof, and national law, these providers can be legally compelled to provide this information (Westmoreland and Kent, 2015; Sutter, 2016).

Did you know?

Social media and other online platforms have transparency reports (see, for example, the reports of Pinterest, Tumblr, Twitter, LinkedIn, and Facebook, to name a few) that include information about the number of requests made to access data about users of their site, the national or international parties requesting this information, what legal mechanisms were used to request and/or access the data, and whether the platform complied with the request.

Next: Challenges relating to extraterritorial evidence
Back to top