A

Welcome to the Tech Pill, a podcast that looks at how technology is reshaping our lives every day and exploring the different ways that companies and governments use tech to increase their power. My name is Gus Hossain and I'm the Executive Director at Privacy International.

B

And I'm Caitlin and I'm PI's Campaigns coordinator. Hi.

A

I am very, very excited about the guest we have today. It's Bill Goodwin, who is an award winning journalist. He's the investigations editor at Computer Weekly. And for those of you who are not from the uk, Computer Weekly is a UK trade press where. And it's, it's, it's, I want to say it's beyond a national treasure it, because it's one of the few national outlets that conducts investigations of things that really matter and that actually change the fabric of politics and the practice of power in the UK and arguably beyond. I hope when we get to it, we're going to be talking about some of the investigations Bill and his colleagues have done, looking at, say, a huge scandal that happened in the UK over a period of 15, 20 years involving the Post Office and how computer systems were used. The computer system was deployed, was faulty, and yet people were wrongly accused of having committed crimes. But leaving that aside, because I am so excited to have Bill and all the fantastic work that he's done over the years, I hope we get to it. One of the things we're going to focus on in this conversation is around Europol, which in its own explanation, Europol is an EU agency that is essentially the police agency of Europe, but it's not. And this is where I kind of need to nerd out just a little bit on the eu, that is the European Union, because the European Union is not like the United States of America. It's a body that has relatively limited powers. So the European Union does not have a police agency yet, but the European Union has, is that it has a agency called Europol whose task is to arrange coordination of police agencies in all of the member states. And so that could be linking the French investigators with Italian investigators when they have a crime that they're investigating that's in common. So they loop criminal intelligence together and they, they support governments, as they say, to combat serious and organized crime, but they have no executive power. So if you're trying to imagine an FBI equivalent, which is, you know, when, when it was first set up, it was dreamt of by politicians as being the FBI of Europe, actually it's not so easy because of the way that Europe is structured. And I'LL just give like one little bit more on European Union structure is that an agency of the European Union gets funding from the European Parliament, which is a parliament that has members of the European Parliament or MEPs, who make decisions like any other legislative body in any government around the world. But their decisions can only regulate what happens at the European Union level with this European agency. So they're the ones who decide the mandate of the agency, how much money the agency has. And they also set up regulators to make sure that these agencies follow the law. And one regulator in particular is going to be a recurring theme probably in this discussion is the European Data Protection Supervisor, which is the equivalent of the national regulator for data protection, but for Europe it's called edps, the European Data Protection Supervisor. Supervisor. And the undercurrent in all of this because I just bored you silly with the context of the European Union, but you have to understand it in order to hate it, is that over the last 15 to 20 years, almost without regard to 9, 11, there's been an increased securitization, as the, as the academics refer to it, the European Union has increased, increasingly taken on this mandate of national security or of security, because there's no national. It's super national. And it's increasingly empowered its agencies to do more and more with, with their, with the data that they accumulate, the technologies they accumulate. And it's unclear whether oversight and checks and balances have followed suit. So in today's discussion, we're going to be talking about one such case case, which is Europol and some of the data it's collected in some of its systems. Caitlin, did I miss anything there?

B

It's worth noting and it might be British exceptionalism, but my understanding is that there are some countries in the European Union who would prefer a federal style system and would prefer that the European Union have a policing agency that is more like the FBI would have some kind of like even it's gone as far as discussions around army forces. But traditionally the UK was very much against that and was very pushed back pretty hard on things like a joint European currency, a joint European policing force, a joint European whatever. But obviously the UK left the EU in 2016 or started leaving the EU in 2016. And so some of these trends toward federalism without the UK have kind of accelerated and it's shifted the power and the political will and interest in that style of kind of joint European Union collectivist action, I guess. And not to get too deep into things, but the European Union is not an equal system in which you know, like, it has a lot of different levels and some countries within those levels have more power than others. And so the makeup of those countries, which used to include the UK but no longer does, is quite significant for the federal interests of the eu, which is why I think the timing of some of the things we're going to talk about is quite interesting in relation to that 2016 date. But that is probably even nerdier than everything that you just said. So I think we should hurry our way along to talk to Bill now because he is more interesting on this topic than both of us.

A

Bill, I just got to say, I, I am so grateful you're here. You and I have been trying to meet up for years now, which is insane, because we, we work on the same issues and we are nerds of the same caliber. And just so the audience can understand, what I mean by that is, Bill is the kind of person that you run into when you go to, to court cases in tribunals that nobody's ever heard about, to talk about the intricacies of legal and surveillance matters that nobody understands. And where there is a. There's a part of the room where visitors can sit. And the only person that's going to be there along with you is Bill. And, and so it's so wonderful to see you outside of the context of what is known in the UK as the Investigatory Powers Tribunal. The main thing we want to talk about today is the investigation. You were involved looking at Europol in the context of this investigation. Well, why did you get into looking into Europol?

C

Well, this was a joint investigation with seven journalists from number of different countries. And some of the people on the team have been investigating Europol for a very long time. And over the years, there have always been questions about how scrupulous Europol has been at storing people's private data and protecting private data. And there have been many concerns about how that data has been used and also the introduction of AI to analyze vast quantities of data. So Europol is very much moving in the direction of being a data hub for police forces all across Europe and collecting vast amounts of data, including data on innocent people, not just people involved in crimes. And there are questions over how well that data is being protected, how well the privacy of people who may have nothing to do with any sort of crime is being protected, and how AI is being used to triage and sort this data increasingly, increasingly powerful ways. So that's the background of how we started, and some whistleblowers came forward to some of the Expert journalists on the team who've been investigating Europol for many years and asked us if we'd like to join them. And two other publications came on board as well. So Corrective in Germany and Solomon in Greece and then Computer Weekly in the uk. We spent several months working on this story, but its gestation goes back much longer than that.

A

So, like you, we've been monitoring Europol for a while and as you say with your fellow investigators, whether it's through Freedom of Information requests or whistleblowers, you found some troubling behavior at Europol. What, what were the key findings?

C

Well, what we discovered was that Europol were storing vast amount of data on what they called internally a shadow IT system. So this was a semi official IT system. It didn't have full scrutiny of Europol's data protection function and it was constructed and largely managed by Europol Cybercrime Centre. It was called the Computer Forensic Network, but it was set up for legitimate reasons. But it just became used in ways that it was never intended for, never designed for. And what happened is over the years it was used to store more and more data and eventually it became the biggest data repository in Europol. But the problem is it didn't have the same levels of security, information security and data protection and governance as the rest of Europol. So it was a bit of an outlier. We found out that in 2019 it had at least 2 petabytes of data stored on that system. That's a huge amount of data and 400 times the amount of data that was stored elsewhere in Europol. So basically the bulk of all the data, including data on innocent people, were stored on this system. And the sorts of data there included things like people's photographs, it included data from people's mobile phones, you know, address data, biometrics for facial recognition, and it's data supplied by police forces all across Europe. Now Europol is required to store data securely and have proper governance measures in place. But we found out from whistleblowers and also documents from Freedom of Information that those controls were just missing. They didn't have them, they were not secure.

A

Yeah, I was reading the report and the write up and it said that there were massive security vulnerabilities embedded in the system itself, including access control wasn't regulated, there was no compliance with the security rules or they weren't complying with security rules. There was a lack of admin use logs and lack of password management. And alarmingly this, the report noted unrestricted software installation was possible, which is now you don't set up systems like this, but particularly you do not set up forensic systems like this because forensic systems have to be even more secure and higher integrity than almost any other system that you could possibly run.

C

Yes, that's correct. So we found an internal report from Europol that was a security audit of the computer forensics network. And as you say, it outlined all sorts of basic security problems with this network. And some of them were, you know, really serious, you know, really fundamental things that they didn't do. So, for example, by having a large number of people with administration rights, that's an immediate red flag because. Well, for a number of reasons. One is if you have a lot of people with admin rights, it increases the attack area for hackers who could possibly escalate, get into the system and escalate their privilege to gain those admin rights and steal data or change data. But it also means that users in Europol who are accessing this data on people could either accidentally or deliberately change the data or change logs, access logs, either deliberately or accidentally, and there'd be, there'd be no record of it and they'd have the admin rights, admin rights to do that. So I've got a list of some of the issues that they discovered and people who are security, have some knowledge of security, would probably be quite shocked to read them, but to hear them, but they include things like insufficient management of privileged access rights, so no control over who can access what in compliance with European, with Europol security rules, lack of password management. So that's a very fundamental thing. Lack of administrative usage logs. So Europol didn't know who'd been accessing what data or for why. Insufficient network access control. So the not enough security around who was accessing this network. So, I mean, that raises really quite serious, serious sort of wider questions, particularly if you're using this data as evidence in criminal trials.

A

So I find this kind of funny and I'm going to take a slightly on a side bit of the article and Caitlin, I want you to weigh in after this. But when you describe a policing system like that or a government intelligence system like that, the irony is that I know how to fix that problem. And the solution to that problem is called Palantir. Palantir's business model in the early days was essentially to go into law enforcement systems and find ways to clean it up and secure it and to generate proper logs. Like, I remember talking to Palantir officials after Snowden and they were saying, well, you know, if the NSA was using Palantir systems, Snowden would not be able to have done what he did. And so the. And my understanding from the article is that there was a moment where Europol was trying to work with Palantir to set up an alternative and probably a cleaner system, but even that fell apart. And so they continued to have this, this shadow IT system, which both blows my mind and it feels strange. I'm advertising for Palantir.

C

Yes, well, you're absolutely. You're absolutely right, Gus. Europol were working for many years to try and introduce a Palantir software. So they had a contract, but the problem just kept running into difficulties. I think they had a very limited number of people who bidded for the contract. There was only one supplier that could do it, and it just didn't work. And they put it into emergency measures and tried to make it work, and eventually they just gave up. But that is part of the story about why this shadow IT network became used as the main data repository, because they didn't have an alternative. They didn't have a Palantir system that they could safely, and with the correct degree of data protection, privacy store data in. So they put everything into the computer forensics network. And that continued for many years until someone realized, actually, this is a really big problem, a really big data protection problem. And if regulators found out, then they could bring Europol to a halt. They could literally stop Europol functioning.

A

Ah, but you're counting on regulators being effective. Caitlin, sorry to cut you off.

B

No, I was just going to say. So shadow IT systems, like. It's not a phrase specific to Europol. Right. Our tech kind of, oh, my God, team is the word I'm looking for. Our tech team worry all the time about shadow it, which is people going, oh, it would be easier if only I could install X, or if only I could use this AI system, or if only I could do this and doing it without telling anyone. And so this system was developed initially for a specific purpose and then spiralled at the beginning. There was another Europol system that did have all of the right access controls and data protection and privacy protections. And this was a separate thing for computer forensics. Right. Why do you think it spiralled? Was it literally just, it's easier if we stick it in the system that skirts the law, because it skirts the law, or do you think it was something else?

C

Yes, Caitlin, you're right. Shadow it is a term not just used in Europol, but it's a term used in every organization that has information technology. And it refers to IT systems that are set up by people with very good intentions, independently of the IT department. So they just go ahead and set up their own systems, they want something done, it's very easy for them to buy their own software and do it, rather than involve the bureaucracy of the IT department. But it does mean that organizations end up with IT systems that are unregulated, that the company as a whole might not know exist and might fall outside of the security and data protection standards that the company is supposed to comply with. And that appears to be what happened in the case of Europol. So how did it happen? I think it happened gradually and possibly through a case of unintended consequences. So when the computer forensic network was set up in 2012, it was set up for a specific purpose. But gradually, over a period of time, it became used for more and more purposes. So particularly during the Paris attacks in 2015, Europol had a huge amount of data taken from mobile phones, people in the vicinity of those terrorist attacks that it had to store somewhere. And the only place it could store it was in the computer forensic network. And at that time it got special derogation from, from Europol's governance people to do that. But it was an exception. But what started out as an exception then became. Appears to become the norm. And just over time it was used to store more and more data. And much of that data had nothing to do with forensics. So I think it included things like police reports, all sorts of other data that was not really the data that was intended to be stored on that system.

B

So the concern inside Europol was that the regulator would find out, but the regulator has found out. How did that happen? And it seems like it was quite a bumpy process.

C

Yes. So what actually happened was the, I think, you know, people who spoke to us tell us that really a sort of blind Europol turned a blind eye to what was going on because they needed to store the data somewhere and, you know, it worked. But in 2018, data protection regulation started coming into force, the general Data protection regulation. And at that point, people in Europol started to panic that they could be subject to some sort of regulatory action if regulators were to find out about this. So there was a huge panic and Europol's data protection chief got hold of a terminal that could access the computer forensic network and carried out an audit. This was in 2019. And he, you know, he claims he had no idea about the existence of the CFN and how it was used before that, but then did an audit and became very Very alarmed and warned Europol, look, if the regulator finds out about this, they could stop us using the data. And there's so much data in there, it's all of our data that would effectively shut down our operations. And there was a huge panic in Europol as to what to do about this. And they set up working groups and committees and to try and work out what on earth to do with this massive 2 petabyte of data problem that they needed to address because of data protection laws that were coming into place. And what eventually happened there was a new head of director of Europol, Catherine de Ball came in, new broom, clean sweep. And she decided the best thing to do was to come clean with the regulator, the European Data Protection supervisor, and say, actually, you know, there's a problem here. And that's what happened.

A

So it's not this situation of, it's not like the regulator. The regulator is not an investigative agency of its own. It wasn't able to like, raid the, the building and find out, hey, we're here to find out how the Europol is doing things. There's this wonderful quote from the, from one of the pieces that says, when we say inspection, we don't mean a raid with IT experts, monitoring systems and confiscating servers. We are talking about a polite conversation. That's what the regulator did.

C

Yes, exactly. So we were told by people who spoke to us about what was going on that it was a very gentlemanly arrangement. So you're right, the regulator didn't come in and knock down the doors and seize servers and have computer experts poring over what was in there. It was very gentlemanly. So they would come in and say, what IT systems do you have? And Europol would tell them. But of course, the regulator could only inspect or assess IT systems that they knew about. So if Europol didn't tell them, they could inspect it. Or if the IT system didn't have a name, for example, it would be very difficult for the regulator to ask to inspect it. So there are allegations that some of these shadow IT systems were not disclosed to the regulator. There's, there's one particular one that I could talk about called the pressure cooker. That's quite interesting.

B

This is the one that was potentially used. There was an investigation into a specific activist and the processing of their specific data, and that was the pressure cooker.

C

Well, the pressure cooker was an internal name for a system. It was developed by Europol's Internet Referral unit. And the idea of the pressure cooker was to harvest data from the Internet very quickly and process it very quickly in response to an emergency. But again, it was an unofficial system. And so we have emails showing that it wasn't really, it was another piece of shadow it. It wasn't properly governed by the IT department or Data Protection department and didn't have the safeguards in place, in place that you would, that you would expect. And again, there were concerns within Europol that after this pressure cooker had been used for many years, there was a panic in Europol that the regulator could find out about it. That was a cause of great concern because people were worried that member states would lose faith in Europol, it would damage trust and so on. So there was a move by Europol to try and regularize the pressure cooker and to make it legit, but that took a very long time and they came up with something called the, the quick response, quick response area. But it took a very long time to try and regulate that. And even in 2004 there were still issues with it. And I think even as recently as this year, the regulator was very concerned about the replacement pressure cooker being used for fishing exercises. So it could be used to go and collect harvest data on people who are innocent and not connected with any particular investigations.

B

How many systems were there? Like how many shadow ICT systems?

C

Well, these are the ones we know about. We know about the pressure cooker and we know about the computer forensic network. People we've spoke to say there may be more, but these are the ones we know about.

B

Well, that's bad. I mean, it gets to the point if you're internally a policing organization going, God, I hope the regulator doesn't find out about X. Surely that's a moment to go. We're doing something that fundamentally undermines our position as a law enforcement agency. The equivalent being if you're in a room going, oh, God, I hope the police don't find out about why. Maybe it's a moment to have a conversation with yourself.

A

Yeah, apparently in so many cases in, where there's interception of communications as evidence, in cases in court, almost like a ridiculous number of them include transcripts saying, oh, if the police are listening, we're going to be in real trouble. That just seems to be a constant repeating pattern in these, in these types

C

of cases, one of the people we spoke to involved in Europol actually said, you know, that they are protecting the law by breaking it. They're upholding the law by breaking the law. So there seems to be a mentality that it's okay to do this because we're going after the bad guys. But the problem is that, you know, the privacy of innocent people could be affected by that. They could be caught up in the, in the fallout of that.

B

Well, it's just a pretty naive understanding of themselves that, like, you know, we're the good guys, they're the bad guys. These are greater crimes that we're going after. Assumes that everyone in Europol is a good guy, because that's the thing that Ed Snowden found, right? Like he was looking at, you know, all of the data collection, finding just some low level, like creepiness, like people passing people's naked pictures around the office. And it's like assuming that every single person that works at Europol, when given access to these systems, has the best of intentions and is pursuing the greater crimes is a really naive understanding of what people do when given access to power and systems full of, you know, sketchy data.

C

I mean, it's true. People are naturally curious and, and nosy and if they have access to data about people, I mean, you know, I've heard stories from people who worked in the health service when controls were a little less lax about people looking at medical records of celebrities just because they can. So it's sort of human nature to curiosity will get the better of people unless there are some controls and logs in place to prevent that happening.

A

There's another bit of human nature that applies to this case, which is there's something about politics in the last 20 years that the human nature of politics is that if we can find a policing or intelligence agency with a budget, we are actually going to increase that budget and increase the powers of that agency, almost without regard to whether or not that agency is fulfilling its purpose or is following the law. And so the irony of this entire situation is that despite this ongoing abuse of or non compliance with, with the law, Europol is actually getting a larger budget and it's getting, it's in a potentially larger budget. Well, I think In November of 2025, it was already voted to get a larger budget. It's expanding, and the European Commission's even talking about expanding its staff and to turn it into an actual police agency. So these agencies keep on getting rewarded for their failures. And in Europe, that's certainly been the case. In the uk that's certainly been the case. What's it like to be a journalist on the side of this saying, okay, I keep on uncovering all these problematic things and yet the politicians just keep on expanding powers?

C

Yes, it seems to be a pattern that if something can be done, it should be done. So if there's a better way to spy on people, if we can do it, then we should do it because some people might be behaving in a criminal way. And, you know, if you've got nothing to hide, you've got nothing to fear, why shouldn't we monitor all of your emails and communications? Because you might be, you might turn out to be a bad person. Never mind that most of the people you're monitoring are good. So there's just this sort of, you know, if you can do it, technology allows us to do it, let's do it. But that's why you need controls and regulations. What really I found was jaw dropping in the case of Europol is that the response to finding all of these problems with Europol's compliance and regulation was that politicians decided to increase Europol's powers. So they decided, amended the Europol regulation, which is the piece of law that governs how Europol operates, to allow them to hold on to data that had been illegally collected, to keep that and also to water down the powers of the regulator so that they had fewer powers to investigate and inspect possible breaches. So you know, the way to make Europol's illegal use of data legal, Europol's illegal use of data legal, is to change the law to make it legal. And that was just, I mean, you couldn't make it up. That was just draw dropping to me. It was unbelievable.

A

Unbelievable indeed. And so that's why, like the role that investigative journalists like you play in a democratic society is invaluable. Because without your research and your relations and your writing, we wouldn't know about these abuses. We have a role as in PI and organizations like PI, that we have to get these findings in front of the eyeballs of policymakers and decision makers to say, hey, something's got to be done. And yet there's something broken right now where nothing does get done. Like there was a consultation ongoing or recently finished about giving Europol more powers. And I think we were one of the only organizations speaking out against it. And of course we quoted the work that you've done and saying, look, there are serious problems here and yet it's not getting fixed. And this is at this moment before I say before, but we know that AI is being added to this fire. We know that these police and intelligence agencies are increasingly looking to use AI and AI systems, love a nice big data set. They, they offer to make sense of that data set. And have you come across and this Sorry. And this is one of the areas where we struggle, because while the tech firms love talking about AI and politicians love talking about adopting AI, getting law enforcement agencies and intelligence agencies to talk about how they're using AI, we're just not getting anywhere. Have you had any luck?

C

It's very difficult. Some journalists on Computer Weekly who write for Computer Weekly have tried, but you're right, it is very difficult because there are so many exemptions for law enforcement under Freedom of Information. But there ought to be transparency about this because if decisions are being made by AI or we should understand it and we should understand how algorithms work and, and how they might be biased and whether they might negatively affect particular populations, so such ethnic minorities or minority groups. And I think there needs to be a lot more. Transparency about that. I mean, I think Privacy International have done a lot of great work in this area on algorithms and a lot of great investigations. And it needs organizations like Privacy International to carry on digging and drawing attention to lawmakers about these issues. Someone needs to do it.

B

You know, following your reporting, some MNPs did raise concerns about and did ask that the expansion be paused. And it clashes at the same time with an ongoing concern about Frontex transfers to Europol. Right. Which also has MEP's concerned and has also raised kind of legal issues. How likely do you think that is? And, yeah, what will become the MEP concerns?

C

I guess, yes, MEPs are definitely on the case now. They're asking questions and they're writing letters to European commissioners and suggesting that Europol's expansion should be halted until these issues are sorted out. So things are happening and people are asking questions in the uk. David Davis, Conservative mp, has been asking questions about Europol as well. And other publications have investigated Frontax and data transfers between Frontex and Europol, which turned out also to be illegal. And same sort of issue, lack of governance that we discovered with Shadow. It sort of. So definitely questions are being asked and people are applying pressure. Where this will go, I don't know. But it's really good that people are asking questions as a result of this information becoming public.

A

And what I wanted to talk about was the cases that you have covered in the past where extraordinary things have happened. Like, I know your colleagues at Computer Weekly were involved and they. The Post Office scandal in the UK and the Horizon scandal. And that has led to extra. Like, it led to storytelling, it led to inquiries, and it is still in the process of leading to a form of justice. So there is. There are happy endings to some of these.

C

Yeah, thanks. To the work you do. You are completely right, Gus, and we mustn't be completely pessimistic. So, yes, journalism does have an impact. It has an impact over time. It rarely changes things overnight, but it does change things over years and decades. So the Computer Weekly, I think, first reported the Post Office story a very long time ago, and the story came out and had absolutely no impact whatsoever. Astonishing story about postmasters who were being sent to jail for crimes that they hadn't committed and, you know, in some cases committed suicide and were left in terrible financial positions due to errors in computer. Computer software. Not just errors in computer software, but the refusal of an organization to admit that there could possibly be errors, that the computer could possibly get something wrong. And with the first story, we could only raise the question, you know, isn't it odd that this thing is happening to so many postmasters who all use the same computer system, and they all had many inexplicably disappearing from their accounts that they were forced to repay because it was assumed that they were stealing it, and each one of those postmasters had been told that they were the only person in the country ever to have experienced those problems. Well, that was a lie, and I think that was a lie the first story exposed. But then it took years of reporting by my colleagues for something to happen. It was picked up by BBC Local Radio and eventually Nick Wallace did a panorama, more than one panorama about it. And the thing that made the difference was when ITV did a document, documentary, docudrama, Mr. Bates versus the post office. And after that, it just brought the whole thing home to the nation. And after that, things really began to change and there were moves to compensate the postmasters and to redress some of the damage that have been caused. But of course, it's still going on. There are still, still problems. Problems have emerged with other Post Office systems that were used before Horizon, same issue. And many postmasters are still awaiting compensation. So we're still pushing out the stories. My colleague Carl Flinders has been plugging away at this for decades and it's still ongoing.

B

Do you think that this kind of computer, this trust people place in computers and computing systems is a common trend that you've seen kind of working at Computer Weekly, because there's certainly we've looked at the most random things like ID systems. We were involved, I think, in a court case where one of the lawyers was saying, but this system's unhackable. And our technologist was reading through all the documents and going, no system is unhackable. What Are you talking about? And we see it again and again and again, people going, oh, but the computer. But the computer is a magical and viable box, and surely the computer knows more than I do. Is that a trend that you see as well?

C

Well, there's an old expression, isn't there? Garbage in, garbage out. So the computer is only as good as the information loop that you put into it, and it's only as good as what people do with that information. There is a legal issue as well in that courts assume that computers have got it right by default. And if you're in a legal case and you're fighting a case that involves a computer mismanaging your data and causing money to disappear from your account in your post office, it's not the post office that has to prove that the software works. It's you that have to prove. Has to prove that it doesn't work. So, you know, it's only thanks to court cases and whistleblowers that have come out that that's been proven. So I think there was a case to change the law. It shouldn't automatically be assumed that the computer gets it right, because we've seen time and time again the computer doesn't get it right.

B

And in the context of the Europol database, where a computer forensic system doesn't log, who's looking at things, doesn't log when things are changing, doesn't do any of those things, that would mean that it would reach the standard required for actual use in a, in an actual court. But no, but they haven't told anyone that, like, is that. I don't know where I'm going with this. I suppose the question is around undermining prosecutions, which probably isn't a reasonable question.

A

It is. That's. It's an unsafe chain of custody on, on. On forensic data that will be used to prosecute people. It's exactly right, Caitlin.

B

But do people look at it differently when it's data? You know, like if it was a. If it was a knife that I picked up at a crime scene that then I couldn't tell you who touched. I couldn't tell you where it's been. I didn't take pictures where I found it or whatever, that was something that would be pretty heavily challenged in court. But when it's data, it feels like some of that people aren't looking for those things in the same way. Is that fair?

C

I think that's exactly right, Caitlin. So if you had a knife at a crime scene, it would be picked up by forensic experts. And they'd put it in a sealed bag, and there'd be a record of its movements and who accessed it and where it had been. And if it was used as an exhibit in a courtroom, you'd have that full chain of evidence of how the knife came to be in the courtroom and, you know, every step of the way how it was handled and who had access to it. With data, it's much more difficult, particularly if it's not held in secure conditions. There's a whole question, as Gus was saying, whether you have. You can prove that chain of custody. And this is becoming a big issue in many of the court cases that we're seeing around Europe involving messages that were harvested from encrypted phone networks, such as Encrochat and another one from skyecc, that, again, we didn't talk about this in our story, but tens of millions of intercepted messages from these phone systems are being stored and analyzed by Europol and sent out to police forces in different countries to pursue criminal investigations against drug traffickers and so on. But there are questions over the chain of custody of this data, and defendants should be able to access the original underlying data. But very often they're not getting the original underlying data. They're getting spreadsheets of data that someone has made. But we don't know the chain of. Or they don't know the chain of custody of how those spreadsheets came into being. So it is a big issue, and there are many sort of legal challenges going on over whether this data is admissible in court in various jurisdictions in Europe, and the law differs from country to country, but it'll end up in the European Court of Human Rights, I think.

A

Well, talking about that, I can't let you go without asking this question. And you might be bored of having to talk about this because this goes way back in your life, but you're part of, like, European Court of Human Rights jurisprudence. There's a case with you dating Back to the 1990s, if I recall correctly, right?

C

Yeah, that's correct. This was very young. It was when I was my first job in journalism, when I was 23, I think I'd been in a publication, the Engineer magazine, for three months as a graduate trainee. And I got a phone call from someone who had some interesting financial information, oddly enough, about a computer software company. And I phoned them up and said, is this true? And. And their response was an injunction, which arrived over the fax machine. Oh, how exciting. I've never had an injunction before, but it sort of quickly Became quickly became a bit serious. And I remember my editor, we got summoned to a board meeting of United Newspapers, which at that time owned the Engineer. And I remember my editors telling me, you do realize you could go to jail? And at that point I realized it was actually quite serious. But I was very lucky because I worked for a company that completely backed me all the way legally. And it just became a very big

A

case because you could go to jail for not disclosing the source.

C

This is astonishing because it wasn't a story about government or official secrecy or Snowden or anything like that. It was a very ordinary business story. But at that time, yes, the company could demand that I disclose the identity of the source in a civil case and I could be sent to jail for refusing to disclose the identity of the source because I'd been contempt of court by disobeying a court order. So I was actually ordered to disclose the source and I didn't and that put me in contempt. What actually happened was they were determined to have me sent to jail. But the night before the hearing, before I was due to be sentenced, we had an off the record meeting between our solicitor, my solicitor, Geoffrey Byman, and their solicitors. And they were in one room and I was in another room in my solicitor's office. And they were saying, we have a right to get Mr. Goodwin to go to jail, we have a right to send him to jail. And it was pointed out to them that, yes, you could have a right, you could send me to jail, you can do that. But I mean, I should backtrack. One of the extraordinary things about this case is that the identity of the company was a secret. So all the court cases were held on camera in private hearings. Journalists were excluded from them. I was injuncted, it was a super injunction, so I wasn't even allowed to tell anyone about the existence of the injunction. You know, I couldn't tell my mum and dad without break. I mean, I broke the injunction to tell my mum and dad, but you know, I could have been jailed for doing that. But anyway, anyway, coming back to this meeting, it was pointed out, we pointed out to them, yes, you can have Mr. Goodwin sent to jail if you want, but you do realize that if you do that, there'll be a huge campaign to get him out of jail. Your company will be named, Most likely by MPs using parliamentary privilege and it's not going to go well for you. And we didn't know what they were going to do, we didn't know which way they were going to go. So the next day I turned up in court with my toothbrush just in case. And their barrister stood up and said, you know, Mr. Goodwin deserves to go to jail. And here's a long list of reasons why Mr. Goodwin deserves to go to jail. But in a gesture of humanity, we're not going to ask the judge, so I don't go to jail.

A

Oh my God.

B

And you did take a course the case all the way to the ECHR and get a ruling on freedom of expression grounds that that wasn't going to happen again.

C

We did. So we lost in every court. It was possible to lose in the uk. So it went up to the House of Lords, which is now the Supreme Court. And the more, the more, the higher you go up in the court, the more belligerent. Am I allowed to say judges are belligerent? But they were quite belligerent. They told my bastard, we don't even want to hear your case. I mean, in the House of Lords, we don't even want to hear it. But then sort of seven years later we took it to the European Court of Human Rights and I was very lucky to be supported to do that by the Journalist Union and in the European Court we won. And that created a legal precedent that allows journalists to protect their sources. And it's now recognized as a fundamental part of freedom of expression under the European Convention of Human Minds. So, yes.

B

Which is a pretty amazing way to spend your 20s.

A

What the hell was I doing in my 20s for crying. That's amazing. Like, and it just, it gives me so much hope like, like the, the fact that you as a 23 year old and then all the years of fighting can unlock a right for everybody that comes after you. And similarly, as a journalist, all the work that you and your colleagues have done that have brought justice or is in the process of bringing justice, you know, as dark as it is right now about whether Europol is going to be held to account, whether they're going to get a larger budget, they're going to have more staffing and more technical capabilities. We can't lose sight of the fact that this works and it's thanks to people like you. So thank you for joining us on this.

C

Well, thank you, Gus. Yes, we keep chipping, chipping away and over time we make a difference, I think. I'd like to think that.

A

Thanks for listening. You can sign up to be the first to learn more about our work@pvcy.org podsignup and we'll include some links to Bill's articles, our own work on Europol, and many other issues that we raised in this podcast. We'll include them in the information, in the description, wherever you're listening, or on our website@peakcy.org Techpill don't forget to rate and subscribe to the podcast on whichever platform you use. Music is courtesy of Sepia.