EN
  • Cyber stability
  • Secops
  • Risks management
  • Digital transformation
  • Digital Sovereignty
  • Cybercrime
  • Industry and OT
  • Fraud
  • Digital identity
  • Cyber +
    • The Policeman Was On A Walk Through The Files

    The Policeman Was On A Walk Through The Files

    Written by
    The Editorial Team
    12.03.19
    Cybercrime
    04
    MIN
    The Policeman Was On A Walk Through The Files
    The Policeman Was On A Walk Through The Files
    The Policeman Was On A Walk Through The Files
    Image United States: Amounts Stolen by Cybercriminals Up 33%
    Cybercrime
    04.24.25 Cybercrime
    Next article
    United States: Amounts Stolen by Cybercriminals Up 33%
    Read
    01
    MIN
    Image Japan denounces fraudulent stock transactions carried out by Chinese actors
    Cybercrime
    04.23.25 Cybercrime
    Next article
    Japan denounces fraudulent stock transactions carried out by Chinese actors
    Read
    01
    MIN
    Image Canada: Authorities Arrest 87 Cyber Fraudsters Using LabHost
    Cybercrime
    04.17.25 Cybercrime
    Next article
    Canada: Authorities Arrest 87 Cyber Fraudsters Using LabHost
    Read
    01
    MIN
    Image Operation Endgame leads to the arrest of Smokeloader botnet clients
    Cybercrime
    04.13.25 Cybercrime
    Next article
    Operation Endgame leads to the arrest of Smokeloader botnet clients
    Read
    01
    MIN

    (By Olivier Iteanu, Barrister)

    This is a rare case that the Conseil d’État [Council of State, French supreme court for administrative justice] informed us about in a decision rendered on 24 April 2019[1]. A gendarmerie captain was punished with fifteen days’ leave from work for illegally consulting « gendarmerie files ». These unlawful consultations concerned his daughter’s employer as well as some of his family members. All in all, this gendarme reportedly admitted having consulted more than three hundred individual citizen files without legitimate and legal justification. As the policeman contested the sanction—after having acknowledged the facts during the investigation—the administrative courts were seized of this appeal, which resulted in this unprecedented decision by the highest court of the administrative order of France.

     

    LOVEINT, A Little-Known But Very Real Phenomenon

    In cybercrime, it has often been said that the first abuses come from within the organization itself. With regards to the processing of personal data, it is human and tempting to consult the system for personal needs. We can also do it to offer a service, for free or—even worse—for a fee. After all, it is so easy, seemingly not so « mean » and sometimes rewarding. For the controller, practice is a nightmare. It is difficult to prevent these behaviours from within. In the American NSA[2], we call it the LOVEINT (we illegally access data for our love partner (LOVE) or out of interest (INT)). In his book « Data and Goliath », Bruce Schneier, quoting Edward Snowden and a 12-month audit of the NSA carried out between 2011 and 2012, reveals that this practice was reportedly noted 2,776 times on the processing of the National Security Agency, an agency of the US Department of Defense. He adds that the figure should be much higher, because this information comes from the NSA itself… Obviously, the larger the file, the more people are authorized to access it, the greater the risk of LOVEINT developing. There is no reason why this type of behaviour should be limited to public files, and we do not dare to imagine what is happening across the Atlantic in certain large companies, giant collectors of personal data from all over the world containing all kinds of information.

     

    A Phenomenon That Is Difficult To Counter

    In the present case, the gendarmerie captain clearly had a special authorisation to access a « gendarmerie file » without further clarification. It can be assumed that this file included fairly intrusive information about the natural persons who were in it. It is obvious that such data cannot be consulted for personal purposes. In law, the point does not raise any difficulties. This is a breach of the principles laid down in Article 5 of the GDPR, according to which, in particular, personal data shall not be processed in a manner incompatible with the purposes for which they were originally collected. These breaches are punished by the possible administrative fine imposed by the CNIL [French data protection authority] on the controller—in this case, the gendarmerie, i.e. the French State. For the gendarme as a natural person, in addition to the disciplinary sanction, Article 226-21 of the French Criminal Code provides for a penalty of up to five years of imprisonment and a fine of up to €300,000.

    But the difficulty of these deviances is not legal here. It is of a practical and evidentiary nature. How can we identify and demonstrate that a rightful claimant—one who has the right of access to a processing operation—has violated its principle of purpose during a consultation? What matters here is much more the importance of educating within the organisation to remind us of the limits of the right of access to and consultation of the processing operation, and the technical and organisational set up to limit and detect unlawful consultation. All this must be wrapped up in good legal practices, so that these measures to limit access and consultation of a processing operation can be made enforceable and licit (since they are often related to cyber surveillance) to validate the evidence.

    [1] On the case law website legalis.net <https://www.legalis.net/jurisprudences/conseil-detat-7eme-ch-decision-du-24-avril-2019/>

    [2] National Security Agency

    The Editorial Team
    12.03.19
    Articles by the same author:
    1
    04.30.25 Cyber stability
    France officially accuses Russia of cyberattacks on its institutions
    Read
    01
    MIN
    2
    04.28.25 Cybercrime
    The Netherlands targeted by attempted Russian cyber sabotage
    Read
    01
    MIN
    3
    04.28.25 Cybercrime
    Nearly half of data breaches now involve ransomware
    Read
    01
    MIN
    4
    04.24.25 Digital identity
    United Kingdom: Digital Identity sector criticizes government wallet
    Read
    01
    MIN
    Image United States: Amounts Stolen by Cybercriminals Up 33%
    Cybercrime
    04.24.25 Cybercrime
    Next article
    United States: Amounts Stolen by Cybercriminals Up 33%
    Read
    01
    MIN
    Image Japan denounces fraudulent stock transactions carried out by Chinese actors
    Cybercrime
    04.23.25 Cybercrime
    Next article
    Japan denounces fraudulent stock transactions carried out by Chinese actors
    Read
    01
    MIN
    Image Canada: Authorities Arrest 87 Cyber Fraudsters Using LabHost
    Cybercrime
    04.17.25 Cybercrime
    Next article
    Canada: Authorities Arrest 87 Cyber Fraudsters Using LabHost
    Read
    01
    MIN
    Image Operation Endgame leads to the arrest of Smokeloader botnet clients
    Cybercrime
    04.13.25 Cybercrime
    Next article
    Operation Endgame leads to the arrest of Smokeloader botnet clients
    Read
    01
    MIN
    Stay tuned in real time
    Subscribe to
    the newsletter
    By providing your email address you agree to receive the Incyber newsletter and you have read our privacy policy. You can unsubscribe at any time by clicking on the unsubscribe link in all our emails.
    Stay tuned in real time
    Subscribe to
    the newsletter
    By providing your email address you agree to receive the Incyber newsletter and you have read our privacy policy. You can unsubscribe at any time by clicking on the unsubscribe link in all our emails.