In our last post, we criticized the new provisions of the Criminal Procedure Code. It was interesting to follow the discussion around the whole case. It’s a case of…
What’s going on?
From 1. February 2019 we have in the Czech legal system, more precisely in Act No. 141/1961 Coll. (Criminal Procedure Code) a new section which we consider very controversial in WEDOS.
From our point of view, this brings us closer to a police state, because the police suddenly have powers that do not belong in the rule of law.
We should start taking the internet seriously. It affects our lives much more than we think and admit. It affects our relationships, it affects the economy. The internet helps to generate over 10% of GDP in the Czech Republic and the internet economy itself accounts for about 5% of GDP. For that reason, it certainly deserves attention.
The exact wording of the new provisions and what bothers us
Let us first recapitulate the full text of the new section 7b (of particular interest is paragraph 2, which we have highlighted in red):
(1) Where it is necessary to prevent the loss, destruction or alteration of data relevant to criminal proceedings which are stored in a computer system or on a medium, the person who holds or has under his control the data may be ordered to, to retain such data unaltered for the period specified in the order and to take the necessary steps to prevent disclosure of the fact that retention has been ordered.
(2) Where necessary to prevent the continuation or repetition of criminal activity, a person who holds or has under his control data stored in a computer system or on a medium may be ordered to prevent other persons from accessing such data.
(3) An order under subsection (1) or (2) may be issued by the President of the Chamber and, in pre-trial proceedings, by the public prosecutor or a police authority. The police authority needs the prior consent of the public prosecutor to issue such an order; without prior consent, an order may be issued by the police authority only if prior consent cannot be obtained and the matter cannot be delayed.
(4) An order under subsection (1) or (2) shall specify the data to which the order relates, the reason for which the data are to be retained or access to them is to be prevented and the period for which the data are to be retained or prevented, which shall not exceed 90 days. The order shall contain a statement of the consequences of disobeying the order.
(5) The authority which has issued an order under subsection (1) or (2) shall promptly deliver it to the person against whom it is directed.
In a way, we understand the first paragraph. It is about securing evidence for criminal proceedings. The police will ask the service provider – the data holder – to make a copy of the data. According to that paragraph, it is only in the preservation of evidence. The data will not be obtained directly by the police authority. They are still stored with the operator and will only be released to the police on a court order.
In our opinion, the second paragraph is particularly critical, as it allows you to directly disable a website or any network service. So it doesn’t have to be purely a website, but a server. The aim is therefore to make the data inaccessible to third parties (i.e. to anyone else). It can be not only a web server, but also a mailserver or FTP server or a database server or a virtual server. In the end, it can be anything, because “imagination” has no limits. And law enforcement can be very creative…
Under this new section, any police agency in our country can now request a shutdown of any service for up to 90 days with (virtually) no consequences whatsoever.
How to understand it? Binding for your website.
It is simply such a binding for your site, a binding for your server. Plain and simple, you just have anything suspicious on your site or server and your site or server can be down for 90 days.
We are not talking about deleting some text on the site, but about shutting down the entire service. A technical polemic on this topic is a few paragraphs below.
Everyone can imagine what consequences this can have for any website or internet company. Every webmaster or server administrator’s first thought is. The website will drop out of search engines. But that’s nothing compared to when a website with a discussion forum or a company presentation or an e-shop is down for 90 days. After 90 days, there is no need to switch on the website. It’s unnecessary.
Today there are many companies whose main value is in IT, data and systems and not in tangible and other similar assets. For example, in our country we value all information, knowledge, skills and intangible things much more than material things. Our tangible assets include, for example, 2 of our own datacenters (with equipment) with a value of eight zeros. If the Police of the Czech Republic shut down our website, we will have the buildings, but what good will they do us… Similarly, there are many companies that are so dependent on their web or server (IT in general) that even their factory production will not run in the event of a shutdown. We have customers who have services with us, and if the Czech Police turn off their services, you won’t buy baked goods in the store the next day, for example. You think that’s impossible? But it is. That’s why we’re pointing it out.
In our last post, we likened it to shutting down a factory for 90 days. Try to think and imagine all the possible scenarios of what police officers (without experience and legal training and technical knowledge) can do… I’m sure you can think of worse things than us…
Why should the Police of the Czech Republic have such powers?
We don’t get it. We don’t think they have to have them. There’s no reason at all. Until now, the Police of the Czech Republic could act, but always under the supervision of a prosecutor or court. From our own experience, we know that when the need arises, the necessary steps can be solved in a matter of tens of minutes. For example, we ourselves had a case (from Friday afternoon) when the Police of the Czech Republic wanted to shut down a website and they had all kinds of arguments to do so. We refused and advised them how to proceed. And to our surprise, within a few dozen minutes we had the court’s decision in our inbox.
As some have interpreted it
Sometimes very badly. Someone said that it’s not about shutting down sites or services, but just making the administration or access to the data unavailable to the administrator so that the data cannot be changed. No, no and no. It’s not in the law. This was not the intention of the legislators either.
On one of the servers dedicated to IT issues, a comment was even posted where a female law clerk (under the name of her employer, i.e. a law firm) said that it was not a big deal. It is said that paragraph (2) refers only to paragraph (1) and so it is said that it is a non-disclosure of a copy of data made under paragraph (1). We consider this to be a completely erroneous interpretation. It contradicts the logical interpretation of the entire text. Perhaps a harsh comment on this would be that something like this is more likely than not a return of a law school diploma…
We have also heard arguments that the Police had legal tools to shut down websites long ago. It’s not like that. We have literally dispelled all such arguments.
We have seen several similar misinterpretations in recent days. Most of them were opinions of non-lawyers or people who know absolutely nothing about IT issues.
There is a possibility of appeal
(Doesn’t) exist. It has been said somewhere that it is no big deal because the provider will be able to appeal. Yes, there is the possibility of an appeal, but I can’t imagine that we will be employing more lawyers to write appeals.
A what’s the main thing? An appeal will not prevent the service from being shut down because the filing of an appeal will not have suspensive effect. We’ll have to shut it down immediately.
We save servers in the server room from seizure under other provisions
A funny argument that has been defended by several different MPs. We asked you point-blank. How many cases of seizure of servers under Section 79 of the Criminal Procedure Code, where confiscation of property is dealt with, do you know? How many seizures of servers in server rooms in the Czech Republic have happened historically? If any case actually happened, it was for a long-running crime and the seizure of the servers happened with the assistance (approval) of a prosecutor or judge.
Moreover, this argument is really laughable nowadays. Gradually, services are moved to different cloud services and data can be spread across the network. So, for example, one website can have data on different servers, in different racks, in different datacentres, in different countries and even on different continents. How are the Czech Police going to confiscate this? The police wouldn’t even be able to determine which server is where and what they are actually supposed to seize.
The converse can be stated that there can be hundreds or thousands of other services and clients on a single server, and by seizing the server you will harm others.
Surely you can sense from this that the Police of the Czech Republic may want to circumvent the technical impossibility of seizing servers with the new provision…
We stop DDoS attacks, we stop phishing, fraudulent e-shops
Another funny argument. The explanatory memorandum to the new provisions of the Criminal Procedure Code literally states:
The provision also allows for an urgent preliminary response to defective data
and order the person who holds or controls it to prevent access to such data by others for a limited period of time, if this is necessary to prevent the continuation or recurrence of criminal activity (typically fraudulent e-shops, malicious codes – viruses, worms, sources of DDoS attacks, etc.). Following the above measures of a provisional and temporary nature, it is then possible to obtain the removal of such data under other regulations (e.g. under Act No. 480/2004 Coll.). A similar arrangement can be found in e.g. in the Slovak Criminal Procedure Code.
We know from our own experience that it doesn’t work that way. What is a fraudulent e-shop? Anyone can tag anyone at any time. For example, we have encountered a case of a fraudulent e-shop when the e-shop operator (one man show) did not ship orders for several days and did not respond to emails due to hospitalization in the hospital.
DDoS attacks really aren’t solved by the police that way. Phishing or otherwise problematic issues can be dealt with by the hosting provider itself. Coincidentally, most of the illegal activities are conducted on fake accounts with various more or less false contact details. Even there, there are procedures for checking and vetting the person in question and proceeding accordingly. Certainly quicker and more efficient than a decision by a police authority. A body that (mostly) knows literally nothing about the issue.
Shutting down websites and services was reportedly not the intention of lawmakers
This argument doesn’t hold up either. If one can read, it is already clearly stated in the above-mentioned explanatory memorandum that it is about shutting down services.
Another argument that the shutting down of websites was the intention of the legislators is the statement of one parliamentary party that responded to our warning. In their nonsensical view, shutting down websites is a lesser evil than seizing servers in server rooms (we’ve written a lot here about frequency and harmfulness and meaningfulness). I hope the cops don’t shut down their website before the election… There’s always a reason. 🙂
Another argument that the shutting down of websites was intentional is the presentation of the entire amendment in our company directly by one of the co-authors of the text. We still have his handwritten explanation on our bulletin board. We are haunted by it every day and afraid to delete it.
Similarly, the Special Activities Unit (of the Police Presidium) presented the whole amendment to us and we were told that it would now be followed and that there was no other way. There will be no possibility of a postponement. We had our own private lecture, because we deal with several requests from the Czech Police every day. Yes, there are indeed several requests for assistance from the Police of the Czech Republic every day lately. After all, somehow we are connected to about 18% of all Czech websites. So we have a lot going on, and of course most of the time the customers are without problems, but there are also clients who probably don’t have completely pure intentions. At the same time, sometimes we deal with customers who are fine, but someone doesn’t like their website because it contains information that may not be entirely comfortable to someone (and yet is in compliance with the law).
It must be admitted that part of the discussion of the ÚZČ in the previous paragraph was that we were trying to devise a system whereby all requests from the Police of the Czech Republic would be directed to us through one central point that would guarantee a uniform procedure and approach. We are currently being contacted by police officers from all kinds of departments across the Czech Republic and in many cases repeatedly on the same matter. It’s sometimes messy, requests inaccurate and problematic to process. So we see some progress here.
Frequency of individual activities
As we have already mentioned, in more than 22 years of activity in the hosting industry, we do not know of any cases of seizure of servers directly in the server room. If anything, it was really not for small things and certainly under supervision. Yes, we’ve already been threatened with it, but…
On the other hand, we receive (literally) several calls every day to shut down the site and remove data from various entities. Most of them are affected individuals (or companies), partly lawyers for the various parties concerned. They are based on a different law (see below). We reject the vast majority. We will explain the situation and inform our customer and invite them to remedy the situation. So the frequency is several times a day, and we remember maybe one case where we granted the applicant.
Practically every month we are contacted several times by the Police of the Czech Republic or other state authorities with a request to shut down a website (or other service) or remove information. We will refer them to the relevant procedures and the need to provide evidence of the court decision. This is usually no longer delivered by the competent authorities. Thus, the frequency of requests is several per month, but the court’s decision is delivered only in units of cases per year. But now police officers will be able to request a shutdown right away. And we will have to obey. You can certainly see the difference in frequency (a few per month vs. units per year).
When the police learn to use the relevant provisions, we will certainly have something to look forward to.
What is the “evil EU” doing to us again?
The “evil EU” is not to blame for anything, because this is how our legislators “performed”.
The part of § 7b that we criticize, i.e. paragraph 2, is a purely Czech specialty. So our legislators have “butter on their heads” and we really don’t understand the reason for having it in the law.
Paragraph 1 is based on the 2001 European Council resolution (see Articles 16 and 17) and was therefore brought to us by the “evil EU”, but this paragraph is relatively unproblematic and, in terms of securing evidence, somewhat understandable.
EU legislation does not require anything like the problematic and controversial paragraph 2, and our legislators either had absolutely pure intentions and wanted to be more papal than the Pope himself, or we have to look for possible ulterior motives. There’s no other way to explain it. There will be few countries in the world that have similar provisions. It certainly won’t be in established and model democracies.
We are not about politics
We are really about principles. Principles of the rule of law. Jwe care about our clients. We care about our reputation in front of our clients, because that is the most valuable thing we have (along with the freedom and democracy we defend by doing so).
We do not want to dissect here who voted for the amendment and how. If you look at the results of the poll, you might be surprised. For example, even parties that have made internet freedom a priority in their election programmes voted in favour of the controversial paragraph. They must have forgotten what they promised. As they say… No one makes more promises than politicians before elections.
We have participated in several internet discussions in the last few days and have exchanged many e-mails on the subject. We prefer not to comment on the result. A few (very rarely humanly decent) MPs admitted their mistake and wrote that they voted for it because they were advised to do so and didn’t actually know the details. Today they are ashamed of it and not afraid to admit it publicly. Thumbs up for that. On the contrary, others are silent. They also lie to entire parties, preferring to quickly move on to other topics. Others make up stories that they are negotiating with us about the next course of action and we don’t know anything 🙂 Probably about us without us.
We don’t do politics and we don’t want to get involved. So we’d better not go any further on that level. If you want to know more about the amendment, you can find it here.
What we find funny
There are various activities here to save the internet. Some political parties have internet freedom right in their program (and compare their program and their votes).
Nobody or most people who invent various activities to save the Internet, which are supposed to consist of freedom (sometimes bordering on infringement) of copyright or other activities. Unfortunately, the authors of these activities do not realize that the new provisions of the Criminal Procedure Code allow any police officer to shut down any website (and under almost any pretext). This puts the internet at risk far more than anything else. This is where we can run into freedom of speech (of course, it has its limits), because new § 7b can be abused for censorship. It can also be used to compete.
Save the internet, write to your MEP! and other phrases from some parties in this connection sound really ridiculous…
The attempt to downplay the whole thing is also funny. They say this law is better than the current legislation. This could not be claimed by someone who is in the industry and now acts purely alibistically…
We’re not even dealing with the technical side of the whole thing
Since we have been hosting since 1997, 23. a year, so we know something about that…
We wonder how such a shutdown will be stored. Will only certain information be deleted? How? How are we gonna do this? Is the website supposed to be down? How technical? Will FTP be disabled? How and who? Should the database be turned off? How are the emails? How do you administer the services? How … It’s full of questions. But the law does not know IT and so the questions remain unanswered.
Should the virtual server or the physical server be turned off, where there can be many and many other services (even thousands of other websites can depend on web hosting)? This is gonna get interesting.
Should the domain be disabled in DNS? How does hosting do it? How does the registrar do it? Or will only the registry do it? What will be the impact on Domain III. order? What impact will this have on other domain-related services (such as email)? Do the police officers who will be shutting things like this down know anything about it?
How do we do this for cloud services?
The connections in IT can be unimaginable. For example, shutting down a domain that may be a DNS server for hundreds of thousands of other domains… can cripple some percentage of GDP. No one knows when someone’s gonna order it…
What else is wrong?
There is more…, but while we are on the subject of criticism, we can also find problems in another law, namely Act No.480/2004 Coll., on certain information society services, there is a provision in Section 5 that is rather imprecise and impractically worded. It completely fails to describe the terminology used. It is based on EU directivesbut it’s 19 years old and doesn’t reflect reality. In 19 years the world has moved on and the internet has made huge strides and the requirements in law do not match the reality.
We raised the issue 6 years ago and unfortunately nothing has changed.
Every day we have to explain the situation to various applicants that the purpose of the legal provision was something completely different and that we do not even have the technical means to modify the content of individual websites (or services).
The purpose of the law is to ensure that the operators of the various repositories where copyright infringement occurs respond to notices of illegal content. Or, for example, various discussion sites where discussion often violates various rights, including basic human rights… The purpose of this is to ensure that website and server operators, i.e. website and server owners (and administrators), i.e. people who manage the content of websites and servers, respond to warnings about violations of the law. In the case of a legitimate request, it is therefore the duty of such operator, i.e. the owner (administrator) of the website (or server) to delete the problematic content from the website (or server). Such an operator, i.e. the owner (or administrator) of the site (or server) has the technical tools to selectively delete problematic (illegal) content. It can delete it so that it does not affect the rest of the service or other services or other content on the site (or server) in question.
From a hosting point of view, it is impossible to deal with disabling specific information on the site or removing any files on the site. Unreal. Technically pointless. Every administrator of any website knows that we can’t just interfere with the content of the site. We do not have access to any administration interface. We can’t tamper with the databases. We can’t change data inside a virtual or physical server. No one knows the impact of shutting down one service on thousands of others.
For this reason, it is virtually impossible for us to deal with similar selective requests to remove illegal content.
Similarly, turning off one service is very problematic. One service can be linked to several hundred others. For example, a web hosting service may have thousands of other domains registered (and operated) under one service. Or there may be a blog and an e-shop and we may not even know about it. The situation is even worse with virtual servers, where we do not know the content at all and the data can be (and very often is) encrypted…
§ 5
Responsibility of the service provider for storing the content of information provided by the user
(1) The provider of a service consisting of the storage of information provided by a user shall be responsible for the content of the information stored at the request of the user only
(a) if he or she could have known, in view of the subject matter of his or her activity and the circumstances and nature of the case, that the content of the information stored or the user’s actions are unlawful; or
(b) if it has become aware of the unlawful nature of the content of the information stored or of the unlawful conduct of the user and has not promptly taken all steps that may be required of it to remove or make unavailable such information.
(2) The service provider referred to in paragraph 1 shall always be liable for the content of the stored information where it exercises, directly or indirectly, a decisive influence on the user’s activities.
The designation “service provider” is problematic. Either it must state that it is not a hosting company (see our proposal below) or it must state that it is a “service provider” or “operator of a service, such as a website operator”.
As it stands, hosting is put in the position of a judge, where we have to decide whether certain content on the site is illegal or risk huge penalties, including damages or criminal prosecution.
Yes, we have a clause in our terms and conditions that allows us to switch off the service in exceptional circumstances. However, we do not want to address what is and is not illegal content. Yes, when we get a final court decision, we will respond. But we can’t decide about copyright or about various (in)defamations or harmfulness of certain content. No, that’s not the way, and hosting is not and cannot be a judge. We’re not replacing a judge.
What do we propose?
In our opinion, the situation should look like that the new provisions of the Criminal Procedure Code and the older provisions of the Electronic Communications Act will be amended. In order not to criticize, we would like to suggest the following changes. I’m sure someone will come up with a more appropriate formulation, but it wouldn’t be fair for us to criticize it or suggest anything.
From the point of view of the Criminal Procedure Code, we recommend that paragraph 3 of § 7b be amended as follows:
(3) An order under subsection (1) or (2) may be issued by the President of the Chamber and, in pre-trial proceedings, by the public prosecutor or a police authority. The police authority shall require the prior consent of the public prosecutor to issue such an order; without prior consent, an order under paragraph 1 may be issued by the police authority only if prior consent cannot be obtained and the matter cannot be delayed.
In the bolded text you can see that it only takes 2 words and 1 digit to make the meaning of the whole paragraph completely different.
If our legislators really insisted on retaining the powers of the Police of the Czech Republic, the provisions of paragraph 2 would have to be revised accordingly. Similar provisions and procedures as in the case of detention for a person suspected of criminal activity would be applicable there. There are fairly limited options for when you can have a suspect detained and then there are clear (and short) statutory time limits in criminal law where both the prosecutor and the judge must act. I’m sure there would be suitable wording. However, we consider our above proposal to be more correct.
At the same time, we consider it necessary to propose an amendment to Section 5 of Act No. 480/2004 Coll., the Act on Certain Information Society Services, for example by adding paragraph 3 as follows:
(3) A provider of hosting services shall not be deemed to be a provider of a service referred to in subsection (1). The provisions of paragraph 2 shall apply mutatis mutandis in this case.
What are the options for what to do about it?
We see basically 2 possibilities. Either the state will react and modify the relevant provisions or the hostels and their customers may start moving elsewhere… After all, the current legislation in the Czech Republic is much stricter than in most countries in the world. It is also more favourable in all other EU countries.
Why don’t others speak up and why do we only speak up?
We don’t know why the others aren’t responding. Ignorance? Reluctance? Convenience. We don’t know. We are the number one in the Czech hosting market and the largest .CZ domain registrar and we became number one because we fight for our clients.
So we’re doing it:
Simply so we can look in the mirror in the morning.
Simply because it is everyone’s duty to fight for the rule of law.
Simply because we stand up for our clients.
Simply because we are fighting for ourselves too, because if we imagine us with the web shut down, we consider it a disaster.
Remember that whatever can be abused, will be abused sooner or later…
Maybe one day it will be your website or e-shop…
It’s strange that this got quietly put into law and there was no mention of it anywhere. It’s strange that this hasn’t sparked any discussion. The internet public has rebelled against other things over time…
Edit 28. 2. 2019 at 12:00:
This morning we had a quick meeting with the staff of the Police Presidium, where we discussed the whole matter together and the aim is to develop a methodology and procedures to address the current legislation.