How Do Japanese Authorities Investigate Cybercrime? Navigating Remote Access, Data Seizure, and Cross-Border Server Issues

The digital age has brought unprecedented connectivity and convenience, but it has also opened new frontiers for criminal activity. Cybercrime, ranging from unauthorized access and data theft to online fraud and the distribution of illicit materials, poses unique challenges to law enforcement agencies worldwide. In Japan, a technologically advanced nation, the legal framework for investigating such offenses has had to evolve to keep pace. This article explores the key tools and legal considerations Japanese authorities navigate when tackling cybercrime, with a particular focus on powers like remote access, specialized data seizure techniques, and the complexities of accessing evidence stored on servers across international borders.

The Evolving Landscape of Cybercrime and Digital Evidence

Cybercrime investigations differ significantly from traditional criminal inquiries due to the nature of digital evidence. Electronic data (電磁的記録, denjiteki kiroku) is often intangible, volatile (easily altered or deleted), and can be stored in multiple locations simultaneously, often in "the cloud" without a clear physical nexus to the suspect or the crime scene. Furthermore, data can be encrypted, and its retrieval may span across national jurisdictions, raising issues of sovereignty and international cooperation.

Recognizing these challenges, Japan undertook significant revisions to its Code of Criminal Procedure (刑事訴訟法, Keiji Soshōhō) in Heisei 23 (2011). These amendments aimed to equip investigators with more effective tools while attempting to balance investigative needs with individual rights and international norms, partly in response to Japan's accession to the Council of Europe's Convention on Cybercrime (often called the Budapest Convention).

Key Investigative Powers Under the 2011 Amendments

The 2011 reforms introduced several specialized measures for handling digital evidence:

1. Enhanced Flexibility in Seizing Digital Data

• Copying Data as an Alternative to Seizing Original Media (Art. 110-2, Code of Criminal Procedure): Traditionally, seizure focused on physical objects. However, seizing an entire server or computer system can cause undue disruption to businesses or individuals. This provision allows investigators, when authorized to seize a storage medium (like a computer), to instead copy the relevant digital data onto another medium and seize that copy. This is particularly useful when the original medium contains vast amounts of data irrelevant to the investigation or is critical for ongoing operations of a third party (e.g., a service provider). This can be done even if the custodian is uncooperative, with investigators performing the copy themselves.
• "Order to Record and Seize" (記録命令付差押え, kiroku meirei-tsuki sashiosae) (Art. 99-2, 218(1)): This innovative tool addresses situations where relevant data is dispersed across multiple systems or requires specific actions by a custodian to compile. It allows a court to issue a warrant ordering a person who possesses or has the authority to manage digital records (e.g., a system administrator or service provider) to extract specified data, record it onto a storage medium, or print it out. This medium or printout is then seized. The warrant must specify the data to be recorded or printed. While termed an "order," there are no direct physical enforcement mechanisms or penalties for non-compliance by the custodian if they are not the primary suspect; its effectiveness often relies on the cooperation of third-party data holders.

2. Preservation of Communication Data

• Request for Preservation of Communication History (通信履歴の保全要請, tsūshin rireki no hozen yōsei) (Art. 197(3), (4)): Given the ephemeral nature of some communication logs (e.g., IP addresses, timestamps of online activity), which can be crucial for identifying perpetrators of anonymous cybercrimes, this provision allows investigators to formally request telecommunications providers or other relevant entities to preserve specified communication records for a period of up to 30 days. This period can be extended once, for a further 30 days (totaling 60 days). This is a preservation request only; the actual acquisition of these logs for evidentiary use still requires a separate warrant (e.g., a seizure warrant or an "Order to Record and Seize").

3. Addressing Technical Obstacles

• Request for Cooperation from Custodians of Seized Media (Art. 111-2, 142, 222(1)): When investigators seize a computer or storage device, they may encounter technical barriers such as encryption or password protection. While existing law doesn't generally compel active cooperation from a suspect (due to the right against self-incrimination), these provisions allow investigators to request cooperation from the person whose media is seized or from other relevant parties (e.g., system administrators) to make the data accessible (e.g., by providing passwords or decrypting files). However, compliance with such a request is not physically enforceable, nor are there penalties for refusal, particularly for the suspect.

Remote Access Investigations (リモートアクセス, Rimōto Akusesu)

One of the most significant introductions in the 2011 amendments was the power of "remote access" (Art. 99(2), 218(2)). This provision was designed to address scenarios where data, while accessible from a suspect's computer, is physically stored on a different server or storage medium connected via a network (e.g., a company server, cloud storage).

How it Works:
When investigators are executing a warrant to seize a specific computer, Article 218(2) allows them, under certain conditions, to access and copy data from another storage medium that is connected to the target computer via an "electric communication line" (電気通信回線, denki tsūshin kaisen). The data copied can then be stored on the seized computer or another medium, which is subsequently seized.

Conditions and Limitations:

• The remote access must be conducted from the computer that is the subject of the seizure warrant.
• The data on the remote medium must be data that the seized computer is used to process (e.g., data created or modified by the seized computer, or data that the user of the seized computer has the authority to alter or delete).
• The remote storage medium must be one "recognized as being used for the purpose of storing" such data for the seized computer.
• Critically, the warrant must specify the scope of the remote storage medium from which data can be copied (Art. 219(2)). This ensures judicial oversight regarding the necessity and proportionality of accessing remote data. This might involve specifying server names, user accounts, or IP addresses if known.

Relevance of Copied Data:
A key legal question is whether investigators can perform a bulk copy of all data within the authorized remote scope or if they must first identify specific relevant files. The prevailing interpretation and some court rulings, such as the Osaka High Court decision of September 11, 2018, suggest that if the specified remote storage area itself is deemed likely to contain relevant evidence (as determined by the judge issuing the warrant), then investigators may not need to conduct a file-by-file relevance check before copying, especially if doing so would be impractical or risk data alteration. However, the overarching principle is that the copied data should be relevant to the suspected crime.

Challenges and Complexities in Remote Access

Despite its utility, remote access presents significant legal and practical challenges:

The Post-Seizure Access Dilemma

The statutory power for remote access (Art. 218(2)) is framed as an action taken during the execution of a seizure warrant for a computer, i.e., typically at the search scene before the computer is removed. What happens if investigators are unable to perform the remote access at that time, for example, due to lack of login credentials for the computer or the network?

The Tokyo High Court decision of December 7, 2016 (Tōkyō Kōtō Saibansho Keiji Hanrei Jihō Vol. 67, No. 1-12, p. 177) addressed such a scenario. Investigators seized a laptop but couldn't perform remote access to an email server at the time of seizure because the laptop's password was unknown. Later, after forensic analysis of the seized laptop revealed the email account password, they obtained an "inspection warrant" (kenshō kyokajō, 検証許可状) for the laptop itself. Using this inspection warrant, they connected the (forensically copied) laptop to the internet and accessed the emails on what was believed to be an overseas server.

The Tokyo High Court found this post-seizure remote access to be illegal. It reasoned that:

• The remote access power under Article 218(2) is linked to the initial seizure of the computer and is not a standalone authority for later actions.
• An inspection warrant for a seized computer authorizes examination of that computer's contents and state. It does not, by itself, authorize accessing external servers, which could infringe the rights of third parties (e.g., the server operator) or constitute a separate compulsory measure against the server requiring its own specific authorization.
• Accessing an email server to view and download emails was, in substance, an inspection of the server itself, not merely an inspection of the seized laptop. This required a warrant or authority specifically covering the server.
• The fact that the original search and seizure warrant for the laptop had authorized remote access was irrelevant because that authority was not, and could not be, exercised at the time of seizure.

This case underscores that remote access is a specifically defined power tied to the act of seizure, and alternative warrants (like a simple inspection warrant for a seized device) cannot be used as a backdoor to conduct what amounts to a separate remote search of external systems.

The Transnational Maze: Accessing Data on Overseas Servers

Perhaps the most complex challenge in cybercrime investigation is accessing data stored on servers located in foreign countries (国外にあるサーバへのアクセス, kokugai ni aru sābā e no akusesu). This immediately implicates principles of international law, particularly territorial sovereignty.

Sovereignty and International Norms

Generally, a state cannot exercise its law enforcement powers within the territory of another sovereign state without consent. Accessing a server physically located abroad, even remotely from within Japan, can be construed as an extraterritorial exercise of investigative power, potentially infringing the sovereignty of the state where the server resides.

Japan is a party to the Cybercrime Convention (Budapest Convention), which provides some framework for cross-border access. Article 32 of the Convention permits a party to:

• Access publicly available stored computer data, regardless of where the data is located geographically.
• Access or receive, through a computer system in its territory, stored computer data located in another Party's territory, if the accessing Party obtains the lawful and voluntary consent of the person who has the lawful authority to disclose the data through that computer system.

The Cautious Approach of Japanese Courts

For situations not covered by these exceptions in Article 32, such as direct, non-consensual remote access by Japanese investigators to a server in another Convention country, the legal situation is less clear. The Convention itself does not explicitly prohibit other forms of transborder access but leaves them to be governed by other treaties or domestic laws.

Japanese courts and legal practice have generally adopted a cautious approach, emphasizing the desirability of using formal Mutual Legal Assistance Treaties (MLATs) or obtaining the consent of the foreign state when seeking data from overseas servers.

• The Tokyo High Court decision of December 7, 2016 (discussed above) noted that since the email server was potentially overseas, investigators should have considered international mutual assistance.
• The Osaka High Court decision of September 11, 2018 (involving remote access based on user consent, though the consent was later found to be involuntary by the court) also acknowledged that accessing servers located in the U.S. without the consent of U.S. authorities could raise sovereignty issues. While the court in that specific case ultimately did not exclude the evidence on sovereignty grounds (finding that Japanese procedural law regarding the warrant for the domestic computer was followed and the individual defendant's rights under Japanese law were the primary concern for admissibility), it still recognized the underlying international law problem. The court suggested that while a sovereignty infringement might constitute an "international illegality," it wouldn't automatically render evidence inadmissible in a Japanese court if domestic procedural requirements related to the defendant's rights were met. Nevertheless, it affirmed that international cooperation channels are preferable.

The "Unknown Location" Problem

A practical difficulty arises when the physical location of a server storing relevant data is unknown, or when a service provider (especially a global one) is unable or unwilling to disclose it. If investigators cannot determine the jurisdiction where the data resides despite diligent efforts, requiring them to seek consent from or send an MLAT request to every possible country would be impractical. In such limited circumstances, some legal commentators suggest that Japanese authorities might be justified in proceeding with remote access if authorized under domestic law for a domestic computer, with the understanding that if the server is later found to be in a specific foreign state that objects, diplomatic issues might arise.

Conclusion: An Evolving Toolkit for a Borderless Problem

Japan's 2011 amendments to the Code of Criminal Procedure significantly expanded the toolkit available to investigators tackling cybercrime. Powers such as the ability to copy data instead of seizing entire systems, order data production, and, crucially, conduct remote access from a seized device, reflect an attempt to adapt traditional investigative paradigms to the realities of digital evidence.

However, these tools are not without their limitations, particularly when passwords obstruct access or when data resides on servers beyond Japan's borders. The judiciary has shown a willingness to scrutinize the application of these powers, ensuring they are used within their statutory confines and with due regard for individual rights and, increasingly, international legal principles. The challenge of accessing cross-border data remains a significant hurdle, often necessitating reliance on international cooperation, which can be slow and complex.

As cybercrime continues to evolve in sophistication and scope, Japan's legal framework and investigative practices will need to demonstrate ongoing adaptability, striving to balance the imperative of effective law enforcement in a borderless digital world with the enduring principles of national sovereignty, international comity, and the protection of fundamental human rights.