When a terrorist strikes, getting information fast from a tech giant can make the difference between police catching the suspects, or another attack taking place. That’s the premise of a new game created by Europol, the European body responsible for connecting the continent’s myriad policing agencies and helping them investigate major crimes.
Right now, police officers are often confused by the process. What data can they request from which provider? Can they retrieve any encrypted content from the likes of Apple or WhatsApp? What legal mechanisms should they be using? What’s the best language to use to ensure they get the information they want quickly?
Cope want data, from Facebook to TikTok
The game, exclusively shown to Forbes ahead of its release to law enforcement partners and their 4,500 officers on Wednesday, hopes to make sure police know the answers to those when an emergency happens. It looks much like Who Wants To Be A Millionaire but crossed with a create your own adventure game and without the options of phoning a friend or asking the audience. It opens with a hypothetical terror attack in which a gunman has started firing at people on a city street, killing 15 and injuring many others. When the player arrives on the scene, they learn that the suspect has fled but had worn a body camera to livestream the event. The livestream has been found, created by a profile called Bobby Cat.
The player is then offered multiple choice questions about what information they would seek, from what provider and how. Some of the questions are about processes, others are vendor specific, covering data access at established tech firms like Facebook through to newer players like TikTok. The quicker the officer is in getting the relevant data, the more points they score.
If the police officer can make it through the myriad questions, they’ll have saved the day. If they fail and run out of time, a fireball explodes on the screen and another terror attack has occurred.
The game is the product of the SIRIUS team within Europol’s European Counter Terrorism Centre. SIRIUS was set up in 2017 with the aim of helping officers deal with the ever increasing flood of data available at crime scenes and on criminal suspects.
Juan De Dios Toledo Martinez, project manager of the SIRIUS team within Europol’s European Counter Terrorism Centre, says the game was based on the guidelines it had already put together for retrieving data from tech companies. SIRIUS had previously worked with the likes of Apple, Facebook and Google to come up with those guidelines to streamline what was, and sometimes still is, a clunky process. When European investigators had to reach out to partners across the Atlantic to acquire data, they have to jump through various legal loopholes and regulations such as the General Data Protection Regulation and the now-invalidated Privacy Shield have only muddied the waters.
Martinez hopes the game will lead to more successful requests than law enforcement are currently seeing. Transparency reports from the likes of Apple and Facebook show that a sizable percentage of requests are rejected. For instance, in the second half of 2019, Apple received 249 emergency requests, which differ from typical requests where the iPhone maker has more time to respond. In 215 cases, data was sent back to the requesting officer, meaning in 34 emergencies, the officer failed to provide enough legal justification for Apple to hand over customer information.
“Our principle is: the more everybody knows about the process, the more the companies and law enforcement and the judiciary know about what the options are,” Martinez tells Forbes.
In the U.S., the Justice Department is finding itself at loggerheads with tech companies over law enforcement assistance. A war of words with Apple ensued when the tech provider said it couldn’t help the FBI access two iPhones used by the terrorist who carried out a shooting at a naval base in Pensacola, Florida. The FBI claimed that vital time was lost because Apple didn’t help it get data from the devices, though the feds did eventually bypass security on the phones to retrieve information.
Martinez says that when it comes to companies providing encrypted communications apps, like WhatsApp or Signal, police should know they can still access other data on users, like IP addresses or other account use information that could prove to be valuable. “Having the content data encrypted doesn’t mean that they are not storing any user data. So we want to highlight that to the investigator,” he adds. “So for investigators who’re not really experienced, they can feel like WhatsApp or Telegram are encrypted end-to-end, so they have no data. But that’s not true. They have the IP connection and what device they’ve used to connect to the platform.”
The balancing act between preserving customer privacy and protecting people’s safety remains fraught with difficulties. But, with projects like those carried out at Europol, police can at least learn how to work more efficiently with the world’s tech giants.