A joint investigation by Computer Weekly, Solomon, and Correctiv reveals that Europol operated a parallel computer system called Computer Forensic Network (CFN) for years. This platform stored large volumes of personal data without complying with the legal and technical safeguards required by the European Union.
The CFN evaded European privacy controls
The agency created the CFN in 2012 for forensic analysis purposes. However, it became the main information processing tool after the Paris attacks of 2015. By 2019, the system had already accumulated at least 2 petabytes of information gathered from various sources.
This repository included phone records, identity documents, and geolocation data. Most belonged to people who were not suspected of committing crimes. A former senior agency official summarized the institutional contradiction with a forceful phrase.
"They protect the law while breaking it" - Former Europol official
The agents also used a second informal environment known as a "pressure cooker." The anti-terrorism unit used this space to analyze data from open sources on the Internet outside of official channels. This practice escaped any direct external supervision.
Internal alerts warned of structural failures
Daniel Drewer, Europol's data protection officer, raised an alarm in an internal report in 2019. The document indicated that up to 99% of the agency's data could reside in the CFN without the relevant regulatory guarantees. Drewer warned about structural security flaws and the real risk of intervention by the European Data Protection Supervisor (EDPS).
The systems lacked basic access controls and audit logs. Additionally, they allowed unrestricted software installation and showed a proliferation of accounts with administrator privileges. Steven Murdoch, professor of security engineering at University College London, pointed out that this lack of controls could compromise the integrity of investigations.
Murdoch added that this would affect the evidentiary value of data in judicial proceedings. Peter Sommer, a forensic computing expert, agreed that the concentration of administrative privileges constitutes a critical security vulnerability.
Europol began negotiations with the SEPD to adapt the CFN to current regulations. The agency argued that the system was already integrated into its daily operations. A spokesperson denied having hidden information from the supervisory authorities and stated that the European regulator had known about the environment since 2019.
The spokesperson announced that they are working on replacing the system with a new infrastructure aligned with data protection requirements. These findings occur while the European Commission studies expanding Europol's mandate and budget. The executive director, Catherine De Bolle, presented her resignation on May 1st.
David Davis, former British MP, described the events as serious failures of oversight and legality. Davis requested clarifications on the possible use of data from innocent citizens by UK security forces in collaboration with the European agency.