Business Ethics & Corporate Crime Research Universidade de São Paulo
FacebookTwitterGoogle PlusYoutube
\\ Universidade de São Paulo - Sites > Business Ethics & Corporate Crime Research > Projects > Internet Governance and Crimes against Children > Despite Forensic Backups and Data Retention Policies, WhatsApp’s print-screens are illegal evidence: How come?
ImprimirImprimir

Despite Forensic Backups and Data Retention Policies, WhatsApp’s print-screens are illegal evidence: How come?

Image Extracted from Magnet Forensics Blog

Author: Carolina Christofoletti

Link in original: Click here

During the last year, crimes committed through Whatsapp have received some important stamps from Brazilian Courts. Not long time ago, the Brazilian Superior Court of Justice ruled that, if Whatsapp cannot solve the cryptography problem they have created, the obligation is legally impossible so that no fine shall be applied (Under justice secrecy, to be read here).

Recently, the Court decided that criminal evidence originating from Whatsapp print screens are invalid (EDcl no AgRg no RECURSO EM HABEAS CORPUS Nº 133.430 – PE 2020/0217582-8) and, even though the case was not ruled in a CSAM scenario, that is what I would like to put on the discussion table today and for a very special reason: This evidence is coming from a third part.

Do you see the horizon already? How do you report CSAM on Whatsapp, for example? You print-screen that and send to Whatsapp, which should, at least originally, send the print screen to Law Enforcement Authorities. Not only it does not happen but, if it ever happened, this evidence would be illegal – illegal, maybe, also to start a criminal investigation. After all, how could one guarantee that nobody deleted anything there, to “hide” its own criminal acts?

This last hypothesis is a very interesting one, because this would have been Law Enforcement’s dream: Criminals reporting each other, whose participation would have also been discovered in the forensics phase of everything. We should, at that time, ask but what we do with this criminal that decided to turn crown evidence. Once he also participated on the criminal act, though trying to conceal it, he is to be named as a crown witness. We keep “whistleblower” as a terminology to be used by someone who is not implicated in the criminal acts.

Prior to diving deeply into it, let us observe the surface for a while: We have a criminal group on Whatsapp, we have Whatsapp as an encrypted platform and we have a custody chain that could be solved through Whatsapp cooperation, which I will explain in a while. I am challenged by this illegality claim. Let us keep reading.

Very personally, I cannot agree with the logic used by the Brazilian Supreme Court of Justice with respect to WhatsApp Web, which is also extensible to the non-web version of the messaging App. The Brazilian Superior Court of Justice claims that, due to the fact that WhatsApp allows someone to delete a message “only for oneself” with no (forensic) register of that, guaranteeing the legality of that proof obtained through a print-screen would be impossible (RHC 99.735/SC, Rel. Ministra LAURITA VAZ, SEXTA TURMA, julgado em 27/11/2018, DJe 12/12/2018).

I disagree with the chain of custody argument, but we will get there in a while.

And, for Criminal Procedure practioners, declaring print-screens from Whatsapp Web as illegal evidence is to be read as such: Nothing that is based on this evidence can base a criminal condemnation. Once the evidence (Whatsapp Web print-screen) is poisoned, a condemnation can only arrive if Criminal Prosecutors prove that there was another way of proving that and that, if this evidence had not existed, they would have come to the same result through a completely independent investigative path. Criminal Procedure Theory calls that “fruit of the poisoned three”.

But what is wrong with deleting a message from somebody else? Nothing. If someone deletes a criminal message – for example, a Child Sexual Abuse Material (CSAM) file- sent by somebody else through WhatsApp, lucky the sender.

Even if one could delete a message in such a way, one could not create a message, that is, putting in the suspect’s mouths words one has never written. The problem is when one deletes its own message, and, consequently, the problem will only exists when the defensive thesis is “I was entrapped (by the police) to commit a crime”. This is the first point.

The problem with entrapment is but police entrapment. If police entrapped you into doing something illegal, Brazilians says that, per definition, the crime is impossible (which is a legal classification about which I also disagree, even though I agree with the illegality of that). Third-part, civilian entrapment are seen otherwise: Criminal abetting.

The problem with denying, in a generalized rule,  the legality of a print-screened evidence is that, sometimes, this rule is facing, as it could be no other, crimes where the materiality of a crime depend, most of the time, on CSAM files being found. Therefore, from a legal point of view, criminals are deleting those files, or even accessing it without downloading it in platforms where they do know that trackers do not exist.

But if one claims that one was instigated to commit a crime, one should keep the proper trackers of it, and a new rule should be created for the WhatsApp Web case: Those print-screens are valid, but if one report it in the next X days. When the rules are clear, both parties know the risk in which they occur and what kind of records shall be kept.

How much I miss the forensic personnel on those discussions. Why did anyone put the backup function of WhatsApp Chat Histories in the trial table? (read about it here). Every day, at 02:00AM, WhatsApp is creating a backup of your chat histories. Forensics tools (such as this one) are already available in the market and criminals cannot be benefited by their own cleverness just setting the benefit of doubt. The question is, what piece is missing:

a)    If it is the interlocutor’s message: The defendant must have it. If it was really so, why would he have deleted only the third-part evidence keeping their own?

b)   If it is the entire chat, why is it missing and why?

I am really worried about files that are shared through instantaneous messaging, and what Brazilian Criminal Courts want to do with that. Those are print-screen only cases, what is also a problem for the current CSAM reporting channels.

The Brazilian Superior Court of Justice claims that we are under a problem of  “chain of custody”, due to the fact that we cannot guarantee the methodology of collection (EDcl no AgRg no RECURSO EM HABEAS CORPUS Nº 133.430 – PE (2020/0217582-8). Once the problem is with the platform itself, the illegality of evidence is completely indifferent to the circumstance of that being collected with or without judicial authorization.

But, indeed, if we do not call the forensic people for help, this is a problem existent overall, what adds a considerable amount of work hours to its investigators. Overall things can be deleted. It does not mean, but, that we cannot keep track of deleted things.

Even if the communication content is encrypted, the communication requests are not. WhatsApp does not know what Alice sent to Bob at 3:00AM June 14th, but WhatsApp knows that Alice and Bob have communicated between each other. How come the chain of custody is invalid if the data exists, in such a way that one would be able to prove, exactly, where the missing piece of the puzzle is, if ever?

Weirdly enough, the consecration of WhatsApp print-screens illegality contradicts another Criminal Procedure rule existent in Brazil that says, in a nutshell, that one does not need to have judicial authorization in order for a print-screen of a WhatsApp group in which the whistleblower was part of to have legal validity. Since the reporting action is coming from an interlocutor, and not a “hacking” act, this evidence is valid. (AgRg no HC 549.821/MG, Rel. Ministro JORGE MUSSI, QUINTA TURMA, julgado em 17/12/2019, DJe 19/12/2019; AgRg no AREsp 589.337/GO, Rel. Ministro JORGE MUSSI, QUINTA TURMA, julgado em 27/02/2018, DJe 07/03/2018; RHC 59.542/PE, Rel. Ministro ROGERIO SCHIETTI CRUZ, SEXTA TURMA, julgado em 20/10/2016, DJe 14/11/2016).

What is, but, up with Whatsapp?

I am very confused with the Court’s argument in WhatsApp cases. They claim that, different from telephone interceptions, mirroring a WhatsApp Web page is illegal, because the Law Enforcement Agent would be able to interact as if he was the defendant. In one of the decisions, the Court mentions the possibility of seizing temporarily the defendant’s device, mirroring it and giving it back (EDcl no AgRg no RECURSO EM HABEAS CORPUS Nº 133.430 – PE 2020/0217582-8, a decision rule that has appeared, previously, in other judgments by the same Court).

Without judicial authorization and without no further formal notice of that, I have no doubt that such a thing is illegal. But my issue with this case is that it is not the hypothesis which we are talking about: We are talking about print screens brought by someone else.

But let us keep also this argument in sight, because I have serious doubt that it is an hypothesis to take under consideration. Whatsapp shall keep and indeed keep Internet Protocols (IP) track of accesses and criminals, intelligent enough, will spend two minutes checking their “returned devices” to see if the “connected to a Police Station IP, in a X Browser, connected at Day Z and time Y” information is not present.

“Collect it in the Plane mode”, will say the forensics personnel. Indeed, if criminals see that information there, they will manually clean the Police servers, because they are the administrators. What Police has is a mirror. The hypothesis does not occur, so.

To talk about CSAM, the same court has already stabilized that red-handed CSAM seizures and without a court order are not illegal, because it is, in fact, as if Law Enforcement personnel had administratively seized that (RHC 108.262/MS, Rel. Ministro ANTONIO SALDANHA PALHEIRO, SEXTA TURMA, julgado em 05/09/2019, DJe 09/12/2019). Despite the fact that I am arguing now a case where the evidence comes from a third, non-police party, the circumstances are quite the same: One could also delete whatever one wanted there.

What if, but people are not “storing that” anymore or if criminals are deleting it, trusting that Court decisions as such will protect them without further? Can you, after all, request a expertise witness for something that Courts claim that, ex ante, violates the chain of custody?

Knowing the extent of the ongoing CSAM problem in encrypted platforms such as WhatsApp and Telegram, denying the legal validity of a print-screen where reporting it otherwise would have been impossible (since the platforms are encrypted, meaning that they cannot, either guarantee anything) is a dangerous white card for criminals.

Think about it.