 Welcome everybody to our next talk, Electronic Evidence and Criminal Matters, an introduction and critique of the EC proposal for a regulation. Our speaker is Klaus Landerfeld. He is a member of the board of the Eco Association of the Internet Industry, and he's also in the board of directors at the Dick Kicks Group AG. And usually at first sight you would think that it is a good idea to have an easier way for law enforcement authorities to secure electronic evidence when there is the suspicion that maybe there was a crime committed. That sounds reasonable at first, but as is often the case with such proposals, there are some shady side effects that people either have not thought of or they have thought of them, but they don't care, particularly there's a lot of concern when it comes to data privacy. And Klaus is going to tell us now what the problem is and what should be done about it. Please give a big warm round of applause for Klaus and have fun. Yeah, a proposal for a regulation on European production and preservation for electronic events and criminal matters is a very ungainly name, and it has come out as cumbersome as one might expect. So what's it all about? It's actually a proposal from the commission from April this year with a proposed regulation. Regulation meaning it will become direct law in every country, so there don't need to be any transportation into national law. And let's be very clear right from the onset, this is about access to store data by law enforcement. So this is not about mass surveillance or preemptive measures or something like that. There needs to be an ongoing investigation, and this is about gaining evidence for that ongoing investigation. So it compels service providers who enable legal or natural persons in one or more member states to use the services listed. I'll explain what that means. To directly cooperate with law enforcement from another member states, usually that never happens. So you're only talking to law enforcement in your own member state. And that's actually what is different. So the scope of the regulation is that a service provider is supposed to provide a full copy of all stored data. So I go into data types a bit later as well. From the inquiring member states. So data types could be everything. Telephone records, email transaction data, communication data, cloud storage, anything. And the authorization and the limitations for the access exclusively follow the law of the requesting member state, meaning the state where the investigation is actually happening. So it doesn't matter where you are, which law system you under. The only law which is required to be upheld at that point in time is the law of the inquiring member state, which is one of the big problems of the proposal. So it isn't even a requirement to even involve the state where you reside in or even inform the authorities that data was requested from a service provider in your country. So which type of services are covered? I think that's one of the most essential parts. So the commission made a presentation for that at the open meeting in May and gave some examples of service providers. So everything you'll see in the next three slides is not from me. This is actually the examples provided by the commission. And it's three areas. It's electronic communication service is defined by the European electronic communication code. It is also information society services. That means things like social networks, online marketplaces, other services facilitating transactions, hosting service providers, all this stuff. But also internet domain name registrars and registries, IP numbering services and things like that. So what were the examples given by the commission? For access service, they used BT Vodafone. Every internet access service, be it via fixed line or mobile, is basically covered that also covers in principle at least Wi-Fi providers, even so it's very difficult obviously to get some data from them. It's also interpersonal communication services. So everything, email, SMS, stuff like that. So they use KPN Vodafone Tele2, la, la, la, but you'll see also telegram, Skype, WhatsApp, Signal. So there after every type of interpersonal communication, also email services, everything. A bit more tricky is the conveyance of signals. That's also one area. So what the commission listed here is in principle also ISP, satellite network providers, but also radio and TV broadcasters. So they could basically tell you, oh, if you have a subscription, was that used for somewhere else to gain insight into where people were using the service from, for example. However, in having further talks with the commission, we found out that might also include IoT services, all sorts of other communications where the only requirement is that the company offering the service controls the transmission of the signals over the network, which obviously falls for every closed service. So it's a very broad definition. It gets even worse if you look at the information society services. They're obviously looking at social networks like Facebook, Twitter, LinkedIn, Google, online marketplaces, Amazon, eBay, Twitter, Hunts was explicitly mentioned as examples. But also, and this is where it gets tricky, hosting service providers like Amazon Web Services, OVH, Cloud Service Providers for corporate infrastructure. What does that mean? Basically, everything which is stored with someone else could be accessed through that regulation. And they also mentioned services like YouTube for uploaded videos, Microsoft Azure, Microsoft Office 365. I was kind of like, oh, wait a second. Does that mean a document's stored there? Yes, that's what it means. Online gaming websites, or even things like iTunes, so what did you download there? And when did you use the service from where? This is all stored data. So you could basically get transaction data from these services. For the inter-domain IP numbering service, they use Drive as an example for the IP addresses. For registries, your ID, the National Registration Service, but that obviously goes for the German registration service and all the similar ones as well. So this is just examples. Registries like OVH.com, KPN, and things like that. But also, privacy and proxy service providers, United Domains was listed because they provide the anonymity service nowadays under the GDPR so that you can't see who's actually behind the domain. So they can target these as well in order to release who's actually ordering the service. Well, to be very clear, it is all data stored in a single member state, which is supposed to be released to requesting member states' law enforcement authority within 10 days. Or in emergencies, even within six hours. So service providers are required to deliver a full set of data stored with them within six hours if that it's declared a very important inquiry without involving your national authorities at all. The idea behind it is that each EU member state has its own governance laws and that the law enforcement procedures can be followed through to investigate in all EU member states, regardless of the locality of the actual stored data. The service providers are not even supposed to check the legality of the request. And most often, they will not be able to do so because they don't know the law system of the country where the inquiry actually comes from. And that is not harmonized. Criminal law is not harmonized throughout the EU. So the time frames, what can be prosecuted, what even is a punishable offense, things like that is not harmonized throughout the EU at all. Can liars do that already? That's the question I often hear. In principle, they can already do that. They can access all sorts of stored information if they have an ongoing investigation and to further a case or further the ongoing investigation, they can already submit a request for stored data, but not to the service provider. They'll have to go to the law enforcement authorities of the country where the service provider resides, or the customer resides, in order to get that processed. So the authorities of where the seat of the service riders will have to process the request and will only forward it to the service provider if that is a punishable offense under local law. And the request warrants a release of the data. There might be other provisions why that is not acceptable to release the data. This is all circumvented by this proposed regulation. Normally it's the application of the local authorities to observe our local laws, that the individual fundamental rights and all legal remedies are given to the person in question and things like that. That's all upheld under the normal procedures, the multilateral agreement by the local authorities. So what are the challenges to individual rights? There are certain problem areas identified. Obviously, the enforcement of due process and the legal remedies for the individual are not clear at all. If you live in a country, data from you is requested, what do you know about what is happening in WoggerWoggerLand? Whatever, I mean, what the legal remedies are there, how do you actually file a court case, what are your rights and under their data protection laws and everything? You just don't know. And there is no harmonization in that as well. Even the information after a case is closed and you were clear maybe that you're informed that data of you was handled at all. There is no harmonization for that as well. You might never learn that your data was actually released. Typically under national law there are provisions that this happens to this and that extend one way or the other. This proposed regulation does not cover that at all. Only the law of the requesting country is taking into account. So we have some examples on where that might affect people. A good example is abortion in Poland. It's illegal there. You might have several years of jail time for that. In other countries, it's completely legal. So if you would use email services to arrange for that in the Netherlands, you might be very careful that you won't have that visible in Poland. Still, it might be requested now from the Netherlands. And you might be prosecuted based on that. We had a good example in Germany earlier this year when Putzermann was even within the authorities that actually put him under hold at some point. But the German court ruled, wait the offense where the arrest order was put into effect, that's not even prosecutable in Germany. So they had to release him again. But everything which would have happened in between telephone calls, cloud data, anything emails sent from that could have been requested by the Spanish authorities if that were already law. Another good example in Austria, it's legal to use toll data to actually build a case against someone where did someone use the roads. There's a provision in German law that you can't do that. The data of toll collect cannot be asked for by the authorities to build a criminal case. There's no provision that this is not going to happen. Meaning data can be inquired from a foreign country which your national law enforcement authorities cannot even inquire, which is it's very hard to explain to local law enforcement that they cannot ask for data which other European countries can ask for. We have the same problem with the types of cell data, for example, or location data from cell phones. In Spain, you can do mass inquiries, even for whole zones or whole cities, which is illegal in Germany. So a typical example from Telefonica, they told us, oh, it's normal. We release several hundred thousand data sets for one inquiry while in Germany this would be completely illegal. Also, there is no harmonization for the treatment of stored data, so very personal information for photos, diaries. But also, if you look at the fact that they want to go for cloud service providers for enterprises, what about company secrets about intellectual property rights? Are we supposed to release everything, your whole cloud storage, whole corporate networks, cloud storage, to law enforcement based on a request which might not even be prosecutable in your own home country? It's very unclear, and that has not been remedied in the talks over the course of the year. Interesting enough, a similar measure would never be accepted in the physical world. So imagining the Hungarian police ringing at some flat in Vienna somewhere in the morning just looking at it, copying everything they want and leaving again, not even telling the Austrian authorities they were there. Completely unthinkable. No one would accept that. No country would accept that. But in the digital world, it's exactly the same. So they think, well, why not? It's just digital data. The same is, they have certain constitutional rights. Best one, well, obviously I know that best because I'm from Germany, but we have something you just call the Kahnbereich Schutz in Germany. That is the core private life which is protected even from law enforcement. They cannot look at this data. And in the Lisbon contract, there was even a provision for that, that no European law can infringe on that right. This one does if it becomes law. So obviously, it's not thought through and it needs some amendments. There are also procedural problems. So every judicial authority of a member state is authorized to issue European production and preservation order and directly contact the service provider that offer the service. So we're talking about tens of thousands of service providers throughout the EU, but we're also talking about thousands of authorities which are in principle allowed to issue these production and preservation orders. So in Germany, this is 900 eligible authorities. We counted them and we did some counts in some other countries. So we estimated to be 13,000 authorities which can go to every single service provider and ask them to reduce data. An impossible amount, how should the service provider be able to detect manipulation? How do we even know that this is a genuine request that the authority inquiring the data is even allowed to do so? So possibly the EU Commission could publish an official list of authorized agencies, but it says, oh no, we're not going to do that. This is the individual country's responsibility and the countries do not want to publish this list of authorized agencies, which makes it even more strange is that coming up with the idea, hmm, is this going to be electronic inquiries which are signed, which we can maybe check upon? No, no, no, this could be paper, it could be text, it could be anything. So another area which is not harmonized and where the regulation has problems is the regulation of maximum penalties or minimum penalties, it's a bit unclear. One of these orders can only be sent out if the crime you're accused of is punishable and this soon stays with a sentence of at least three years. But this is, it's not really very much. So there could be fraud, there could be anything. So three years is a joke, especially looking at the fact that there might be several countries inquiring the data and even if in your country or in your neighboring country it might be only two years, there could be another country in the EU where there's a five-year penalty on exactly the same crime. So this doesn't really give you anything. And a case-by-case examination of the service provider is not possible anyway. How should a service provider be able to check that specific offense, which he's not really even in detail told about because he's not allowed to know what the specific offense is, and how should you check if that legality is upheld and if the request of the assessment of the state inquiring the data that, yes, this is an offense punishable by at least three years is actually true. The service provider will not be able to do this. And the same thing goes for the question if that is punishable in my country at all. So we cannot really tell. These problems could be solved by a binding list from the European Union and that would be sensible in considering harmonization is what they're really trying to do. So that specific offenses are listed in sort of a catalog where you can say, okay, but this offense on a pan-European level, we see this minimum sentencing or things, but the states have signal, they have no interest whatsoever in harmonization and the criminal laws. So they don't want to produce that catalog and they cannot agree on a catalog. So it is very clear that obviously companies should not be permitted to produce data for foreign authorities that would domestically not punishable, but it is very unclear right now how this can be achieved, how a service provider is even able to check that anything he receives is genuine. The same goes for the relationship to third-party states. There should be a provision in there that transfer of the data gained should not be allowed to be transferred to a third party. So one European member states requests data and then shares it with the US, for example. I think it's very clear that this should not happen, but at the moment, individual member states can negotiate their own individual agreements with whom they share data under what provisions. And we think that there should be something in the regulation that says no, this can only be done through the entire union. If, for example, the US Cloud Act, there's a provision that data is shared with you, it should be harmonized, it should be the same regulations, the same way to do this throughout the European Union so that not one country can do their own individual contract on that. The same goes for the existing process. There is a process of voluntary cooperation and a lot of countries have individual contracts between each other on how to share data. So whatever the Netherlands and Germany have a contract, Austria and Germany have a contract, France and Spain have a contract on how to help each other in gaining this data. Currently, it's not clear what is the leading law. Will this be the new regulation, be the conclusive agreement, or will the individual contracts still be upholded, especially if there are lower standards? And in some cases, there are lower standards for this cooperation than what the epoch now stipulates. And obviously, this also goes for the non-EU states and the production of evidence there. So it must be very clear for all parties involved what is the new standard and which standard should be applied. Even worse, there are no technical provisions whatsoever. The proposed regulation is only about procedures and minimum sentencing and things like that. There isn't even an opening clause to come up with a technical specification. So, but in order to make this a timely response, if we consider six hours and things like that, we need a technical regulation. If something like this will even come to pass. So for the European investigative order, there's an Etsy standard, which secures the integrity and the privacy of the data while it is transmitted. It's obviously encrypted. For the epoch, there's nothing. It's not even clear how this is supposed to be transmitted. You could receive effects and then, what do you do? You produce electronic data. You don't even know what to send it to, unencrypted via email. That's, there's no provision in there at all. And if the opening clause for technical provision will not be in the proposed regulation, then you cannot have a technical provision afterwards. You need to amend the regulation. So this is really a requirement which is absolutely essential in a digital world. I can't even understand how someone can come up with a proposal for electronic evidence, which does not say it needs to be transmitted electronically. I mean, it's, well, okay. Yeah, well, for people versed in digital matters, it's, I don't know, right? So the same goes for companies. I mean, obviously a lot of you probably work for providers or some companies which offer digital services. So in principle, a unified procedure for a single market. I mean, we're working on the single European market for electronic communication, for electronic goods and services. So in principle, the idea that there is a unified procedure on how to access data and what data should be accessed is not a bad idea. I have to admit, it's sometimes very difficult to work in the current system where there are individual agreements between some states and what can be shared and how it's done is a bit unclear. And you never know when your own local authorities talk to you and request some data if this is actually for some other country. You never know. So procedure would be very helpful. But the direct contact of foreign state authorities with you as a service provider in another country means there is a discharge of sovereign tasks by your own state. And that is something which we view is very problematic because who is responsible to uphold the rights of the individuals in that setup? Will that be discharged to the private company, the private sector? It's something which obviously politicians are trying to do all throughout the EU, typically within national law. So there's a lot of state responsibilities being outsourced to private sector companies nowadays. But on international law or international treaties, you almost never see that. So why is that in here? Why are the state's responsibilities simply ignored and the individual countries have no rights, no safeguards, nothing in there to protect their own citizens? That we as industry, few as a big problem. Because obviously this is also about liabilities. It needs to be clear for a service provider to have a release data based on that regulation that I'm only acting in an official capacity, working on an official state order and carry out measures that have been prescribed by, well, yes, some other state, but at least for some state. So I'm not liable for releasing that data. Under the current proposal, it's not even clear if the user could not sue me for the releasing that data. Yes, it is EU law, but it's very unclear how that relates to the national law about safeguarding data of the individuals. Actually, one provision is in there, which states that if I don't follow the order, if I don't release the data in a timely manner, I could be fined up to 2% of my turnover as a company. So again, very hefty financial risk, not responding in emergencies within a couple of hours. So am I willing to take that risk? Am I willing as a company to not follow that order and actually do some checks, do some legality checks? I might not, if I'm a large company, I'm talking about several million euros or even a billion euros or something like that in potential fines for not following that request. It's very difficult, so this should really be put into the proposal. It should also be very clear that if that was a manipulated request and I have no means to check this, I have no means to do a signature check or something like that. If I receive a fax with a stamp from some court somewhere, I cannot verify if that is even a true court, if that even exists or if that has the authority to request this type of data. Under the current proposal, I'm supposed to simply release data. I'm not even supposed to properly check this. So can I be made liable if that was fraud, let's say court fraud, that we think is a big problem, at least for the companies. How can you do business in an environment like that? And obviously you cannot check if that is legal in 28 different legal systems. And it should also be clear and that's also not part of the proposition right now that the data cannot be used for something else. So it was requested for one thing and it can be used in a different legal case. Not even that is in there. And also it should be very clear that evidence released to a law enforcement authority and then it becomes clear that this data should not have been released, that it cannot be used in court and that is also not in there. So what is the current status of the proposal? Where are we in the process? It's not law yet, it's not passed. The European Data Protection Board adopted a resolution that said this is very critical and it's not supposed or shouldn't happen. On the 26th of September, but the Council, so the EC Council adopted it as is without amendments on the 7th of December. So if it goes through Parliament as well, then it would become law immediately. If the Parliament stops it, then there will be trial log disputes and we can actually still prevent it from become law. The Parliament held a hearing on the 28th of November and it's currently not clear if there will be any further hearings or proceedings before the EU election in May. So what is required? And that's where I say it should be a call to action. Please, in this case really, NGOs, private individuals and companies we're all on the same side here. This should not come to pass as it is because it will really rob you of clear law and a clear system on where you are, on what is really the law system you work in and you can actually have a clear understanding of what, if you save something on the net or if you put something in storage somewhere, if that is not released to someone else. Only a handful of companies opposed the regulation. So there was active opposition to that. There was Germany, the Netherlands, Finland and Greece and also Hungary and the Czech Republic but on different grounds because they thought it doesn't go far enough. So that's the typical things you have in the Council. However, the primary advocates for the proposal were France, Spain, Ireland and Belgium. So they sponsored it. So especially in these countries it would be helpful if people would become active, talk to their governments locally, talk to their parliaments and actually say, okay, well, what is happening here? Why do you support this? Support can still be withdrawn until this was actually adopted. Also, obviously, people should talk to their members of parliament and make clear that this is not something which should become law. So as I said, there is still some time to act, probably the first quarter at least, maybe up until after the European election in May. And I hope that there will be some action that people see that this is a big problem and these production orders should not come to pass. Yeah, thank you very much. Materials used. I recommend these as readings. So there was the opinion of the European Data Protection Board, the original proposal, but also a study for the parliament done, so the legal committee of the parliament, which also strongly requests the parliament not to adopt this. So if you're interested in the topic, look at these materials. And yeah, I'm open for questions. Thank you very much for the talk, Klaus. We still have quite some time for questions and answers. So if you have any questions, you can move to any of the microphones we have here in the room and then we will be happy to take your questions. Are there any questions from the internet so far? Doesn't seem so. There's still thinking about it, maybe. So let us start with microphone number five. When pushing for the electronic signatures and the proof to have a valid request, it ought to be wise to ask for a secondary legal check by the local authority, because when you have a digital format, you can also speed up the check by the authorities. Yes, we thought that, well, actually what the service providers proposed was that it should actually be sent out from the local authorities to some central agency within the state. And they, well, the original requesting authority to sign it, the outgoing central authority should have signed it. Then there was an inbound called double tandem so that both countries actually check on it and then only then it's forwarded to the service provider and you would be able to check signatures on this. So that there was a legality check and also an integrity or an authorization check on this, but it was flatly refused. Even in Germany, the Bundesamt, Bundesamt für Justiz, they said, oh, but we can't do this 24 seven within six hours, it's impossible. So every service provider is supposed to do it, but they cannot do it. But the check, the actual, that the legality check outbound and inbound, we think this is absolutely mandatory to do. Thank you, next question for microphone number two. Thanks Klaus for reporting about this nightmare. When there is an incoming request from a local authority, let's say to D-Kicks, is there any proposal in which language it should be? Should it be in German or in Polish or are you expected to learn all these languages? It's a, well, actually D-Kicks cannot really have these requests, different story. Actually, every company or every service provider is supposed to publish an address to forward requests too and the languages they are willing to accept these in on their website. Don't ask me why, we thought that as with the list of authorities being eligible to request, a list of service providers which can actually receive these would be a nice thing to compile on a national level and then be exchanged maybe through Europol or something like that. But again, flatly refuse because one, it's too difficult to compile this list of authorities who can inquire and electronic signing is completely out of the question. It's supposed to be a couple of years before the local authorities can sign stuff and also this finite list of service providers who can actually receive it was supposed to be impossible to compile because you've seen there's some rather open definitions in there like these controlling signals on the network stuff, right? Anyone who's transmitting and storing data in some fashion could potentially be a target. So the authorities thought that it's impossible to compile a complete list of potential recipients. I'd like to remind the people who are already leaving to please do so quietly and everybody else was in the room to also be quiet. Next question from microphone number three, please. So since you have a big German audience, sorry, the echo. Since you have a big German audience, which of the German European Parliament politicians support and oppose this and which of them do you think should we direct our attention to? Honestly, I cannot answer that because I haven't talked to the German members of Parliament because we were able to convince the German government that this is a bad idea and they oppose the measure altogether. So we need to do this now and we also need to go to Parliament, of course, but my colleague in Brussels already did this, but I don't know who he'd actually talked to and who he didn't. That would be Thomas Bill Maier of Echo. He's talking to the Parliament there. Microphone number seven, please. Yes, how are the sending authorities supposed to identify where to send a request? Like even if you look up on an IP address, it might not actually be the company that's responsible for the server. It might even be like the upstream ISP of the co-location company that has a customer that's where you're supposed to send a request. Very good question. No, I seriously cannot answer it. The proposal doesn't stipulate that. There is no provision in there how to find out who the actual service provider is. So that problem is there today as well. So they need to identify who the service provider is today as well. So there's really no change for the requesting authorities there. Microphone number six, please. Hi, thanks for the talk. I was wondering. So you said attacking state laws are above the targeted state laws. Could there be any protection? Like if my state's constitution says a foreign law cannot apply here, could it invalidate the regulation? That's what we're aiming for. We hope that this will actually come because this is what would be required. If, for example, there are preventions to use data for doctors and members of parliament and things like that, that's not even in there as well. So if there are local requirements that data cannot be released, that is not upheld as well. So, and it's actually a good attacking point for members of parliament to tell them, well, you know what, under this, even your data can be released. And they're typically very proud of their protection. This proposed regulation doesn't clarify this. You have to release the data no matter what because the presumed check already happened at the requesting entity. And it's only a question if it's punishable with at least three years in the requesting state. So your law doesn't matter at all in the regulation as it is right now. Now the time of the internet has come and they will be asking their question. I actually have kind of a double question. For one, is law enforcement actually defined in a way or is it just law enforcement without any definition? It's, well, it is actually, for some things you need a court order as well. So it's basically police, the state attorneys and the courts on the different levels. And under some local jurisdictions, it's very clear that data can also be requested by secret services and things like that as well. So they would probably fall in that range as well, even so it explicitly says that it's only for criminal proceedings. So it's very difficult to tell if they will probably be able to send this through some police agency or something like that. But it's clearly just for criminal proceedings. One actually need to go to kind of a judge even in the requesting country or is it completely free to send request? That depends on what the local law says. If you can request IP addresses, names, certain types of data in the local law without a judge. So if police or the state attorney can do it, then only their signature is required if the local law states that the judge is required, then you would need the authorization by a judge. However, if you want content data, that's a special point in there. So if you want content or whatever of a cloud service or something like that, it will always require the signature of a judge, but this could be from a local court. Microphone number two, your time has come. Please do go very close to the microphone. Thanks for the wonderful talk and preparing it in such a short time. I would have two questions that popped into my mind. One of them is that we have extensive cooperation contracts between legal entities within the European Union. So if I see this correctly, so far the proposed procedure would allow to basically play it in tandem to get the information. So my police is gonna ask someone else's police, the police from another state to ask for data that the police can't ask for, and I don't see how this is omitted in any way. Well, I had this in the presentation that we think that only the state where there are actually criminal proceedings should be able to request the data, but it's not very clear right now in the proposed regulation. So this needs to be clarified. We think that especially this part of the data can be handed on to someone else because we have a different contract in place that this should be explicitly prohibited under this regulation. It's not part of the proposal right now. Microphone number two, please do ask your second question. The other point was, when does data count as being stored? Is this like two minutes after I finished my phone call or an hour or 24 hours? Well, the proposal doesn't say. Typically that is also something which is under local law and it actually differs from country to country what is considered stored data, but it's typically all sorts of account data, all sorts of data which is stored more formal like emails, cloud data and things like that. It's data in transit which is only temporarily stored somewhere does typically not count as stored data. Microphone number five. The amount of scope if I run my own mail server like universities or other big companies? Well, if you run your own services, you're obviously out of scope for the proposal because it need to be a service provider enabling other persons in order to do that and obviously it wouldn't do much good to send you a request to release your own data. But universities and things like that, that is really up to local law. So under certain provisions, I don't know that for many countries but I know that in Germany for emails for example, they have an exemptions, they don't need to provide that. So this is part of what do I mean when I say we need to actually change local procedures as well to clarify who's within scope and who's not. This is all about oh, it's kind of like up to local law but if I'm not required to store something or to actually have data and then someone from Spain or whatever inquires something because companies there are required to store that. Well, obviously if I'm not storing anything, they can't release anything but it might work the other way around. Like in Poland they have data retention for five years in some other countries they don't have data retention laws at all or maybe six months and then you request something and you receive data for five years. That's obviously not intended from the requesting entity so this might work both ways. And the internet has the honor of asking the final question for the session. So one Cushia user asked if we should use the law against the politicians which proposed it if it actually comes into effect to kind of show them how bad it really is. Well, if you get some other law enforcement agency to request that data, yes. You could do that because there's no provision against it but it's, I can't really answer that, sorry. All right, anyways, thank you very much for all of your questions. Thank you so much for being so active. Also, thank you very much to Klaus again for giving this very informative talk. Please give another big round of warm applause to Klaus. Thank you. Thank you. Have a good one.