Digital e-Court and Operating in COVID Provisional Mode

- Autor: Maciej Lesiak - 8 minutes read - 1504 words

What's in this article

The digitization of Poland’s judicial system is a slogan that has been raising hopes for years about streamlining proceedings and facilitating access to courts. Courts are overwhelmed with cases, and deadlines are as discouraging as possible to deter people from using litigation to resolve disputes. Therefore, the possibility of participating in a hearing from anywhere in the world, without the need to travel and waste time, seems to fulfill the promises of a modern state. However, my recent experience as a party in proceedings showed that behind the facade of technological progress, there may be serious procedural gaps and, in my opinion, potential threats to our personal data.

The digitization of Poland’s judicial system is a slogan that has been raising hopes for years about streamlining proceedings and facilitating access to courts. Courts are overwhelmed with cases, and deadlines are as discouraging as possible to deter people from using litigation to resolve disputes. Therefore, the possibility of participating in a hearing from anywhere in the world, without the need to travel and waste time, seems to fulfill the promises of a modern state. However, my recent experience as a party in proceedings showed that behind the facade of technological progress, there may be serious procedural gaps and, in my opinion, potential threats to our personal data.

Promise vs. Reality: First Collision

At the request of my attorney, we decided to use the option of remote participation in the hearing. The procedure seemed simple: it was enough to submit a request to the appropriate court department asking for such a possibility. It quickly turned out that it’s enough to write an email from an address not listed anywhere in correspondence as authorized to obtain a videoconference link, merely citing the case signature and interest. So I did just that. The response came quickly, containing a link to a meeting in the Jitsi system and detailed instructions.

However, what surprised me was that the court employee sent me an invitation without any attempt to verify my identity. I wasn’t asked for a PESEL number, a scan of my ID, or any other information that would confirm that I am actually me. A simple email with first name, last name, and case signature was enough to receive a link leading to a virtual courtroom. That was the first red flag.

e-court conference at hearing

Public Test Room: Disturbing Lack of Privacy

Following the instructions, on the day of the hearing I decided to use the test connection option. After clicking the link, I saw a view that I considered a flagrant violation of privacy. In the publicly accessible videoconference room, there were several dozen other people, mostly elderly, who were testing their connections. All were signed with their full names, and their faces were perfectly visible. The problem was that these people didn’t leave the room after establishing connection. This caused them to remain connected, and you could constantly hear conversations from their rooms. Yes, you read that correctly.

At that moment I realized that each of these people could see me, just as I could see others. I could easily take a screenshot, recording personal data (first and last names) and images of participants from completely different proceedings. Importantly, the system never displayed a request to accept terms of service, GDPR information clause, or any communication regarding data processing. Due to the regulations found on the court’s website, I won’t post any such screenshots as evidence, only my test connection from a few days ago when I saw one person. However, anyone can connect there without limits, so anyone can peek at who’s connecting and, if faces are visible, take screenshots, because there are no session separations. Everything is in one room for those testing.

e-court conference at hearing

The Hearing: Apparent Verification and Technical Makeshift

The hearing itself also left much to be desired. After joining the teleconference, I saw my attorney in one window, myself in another, in the third a courtroom set up for the witness stand, and two black windows without image. Due to technical problems, I had no image or sound from the judge’s bench. However, I could hear and see other participants perfectly, which created the impression of only partially participating in the process. Of course, no one raised this issue, knowing the pace of Polish judicial system operations. Attempting to turn on the microphone could have caused a postponement of the hearing by 3-6 months, which wasn’t convenient for anyone.

The identity verification I had hoped for turned out to be illusory. The court limited itself to asking “are you who you are?”, after which it received standard declarations from me about criminal liability for making false statements. The foundation of the entire process – certainty about who the person on the other side of the screen is – was based on one simple question and my declarative answer. Hmm…

What About the Regulations? Theory vs. Practice

After the hearing, I decided to examine the official rules, infrastructure, technology… The Videoconference System Regulations, made available by one of the appellate courts, looks solid in theory. We read in it that the Organizer (i.e., the court) bears exclusive responsibility for “verification of Participants’ identity in accordance with legal provisions”. My experience shows that this key obligation was not fulfilled in any way.

The regulations also prohibit sharing the link with unauthorized persons, defining this as a “flagrant violation” that can result in even criminal liability. You mustn’t do this, heaven forbid! But how to enforce this prohibition when the access granting process itself is so poorly secured? I wonder how the court would find a person from Panama impersonating a witness? The person writing the regulations had no such doubts, and presumably the regulations are correlated with GDPR principles, and these with obligation scopes. I therefore assume that no law was violated in providing links and creating foundations for access, meaning I assume we’re operating in post-COVID provisional mode and no foundations are required, everything is done on word of honor and great trust.

Answering key questions about data security, the regulations specify several issues:

  • Data Administrators: The administrator of personal data processed during the hearing is each court organizing it. The Minister of Justice and the relevant appellate court are responsible for the technical side of the system (as System Administrator).
  • Session Recording: What’s extremely important, the regulations explicitly state that “Videoconference Sessions are not recorded, stored, or archived in the Videoconference System”. The decision about possible recording can only be made by the court, but this must occur outside the provided system.

Permanence of “COVID Mode” Makeshift

I would like to draw attention to one key aspect of this sad affair. It’s worth noting that the system itself was implemented based on COVID special law provisions (the sacred regulations themselves refer to this). The epidemic state was lifted in Poland over two years ago by the minister, yet the “makeshift” created then continues in full swing, becoming the de facto standard. Because it’s convenient, and procedures and security are not convenient.

System Open to Manipulation?

A system based on lack of solid verification creates enormous room for abuse. It’s not hard to imagine a social engineering scenario: a person knowing the case signature (and these are often not secret, visible for example on envelopes delivered by mail carriers) contacts the court, claiming to be a party and stating they deleted the email with the link. Given current procedures, there’s a high probability that acting under time pressure and applying pressure on a lower-level employee, they would gain access to the hearing, if not more.

Are We Still Operating in the Pandemic Provisional Turn?

The described problem is unfortunately not an isolated case. Similar doubts about procedural reliability appeared, for example, in Łódź, where I publicly reported a problem in the context of public consultations regarding Local Spatial Development Plans (MPZP). The process conducted by the Municipal Planning Workshop, which was supposed to be open and digital in theory, in practice raised allegations of unfair treatment of participants and creating the appearance of dialogue. MPU, citing the pandemic state that had been extinguished by the minister for over a dozen months, still implemented procedures that in my opinion limited accessibility for residents. These allegations were responded to by Vice President Adam Pustelnik in a several-page letter, defending the MPZP consultations and adopted MPZP consultation solutions while announcing their changes. Nevertheless, the entire situation constituted another example of digital makeshift for residents, which in a process touching on the fundamental right of property undermined trust in the reliability of the entire procedure. A few weeks after Pustelnik’s letter, MPU in Łódź changed the regulations and rules from pandemic to normal ones.

Digitization is an opportunity, but it cannot occur at the cost of fundamental principles of rule of law and privacy protection. My story shows that without solid, verifiable security procedures, a digital courtroom can become a place of chaos, mistakes, and deliberate manipulation. It’s high time to replace temporary solutions with a system worthy of citizens’ trust.

Ten artykuł jest dostępny również po polsku:
Cyfrowy e-sąd i działanie w trybie COVIDowej prowizorki

See also

Anomaly in Google Gemini: AI Displays Wrong Images from Attachments
Anomaly in Google Gemini: AI Displays Wrong Images from Attachments
Case Study: Leak of sensitive airport data due to email configuration error (2007)
Case Study: Leak of sensitive airport data due to email configuration error (2007)
LODZ.PL: Public Portal or Advertising Conglomerate? Analysis of Tracking, Monetization and Conflicts of Interest
LODZ.PL: Public Portal or Advertising Conglomerate? Analysis of Tracking, Monetization and Conflicts of Interest
#2520 Manipulating Recommendation Systems: GROK, White Genocide, and Musk's Racist Conspiracy Theories
#2520 Manipulating Recommendation Systems: GROK, White Genocide, and Musk's Racist Conspiracy Theories
Conspiracy Theories as Civic Narrative: An Analysis of Rafał Górski's Columns from the Civic Affairs Institute
Conspiracy Theories as Civic Narrative: An Analysis of Rafał Górski's Columns from the Civic Affairs Institute
Bypassing Security Filters in ChatGPT's SVG Generation
Bypassing Security Filters in ChatGPT's SVG Generation