Why preserving user data remains a major problem for investigators

Governments continue to face barriers when asking online services outside their borders to preserve user data needed for investigations. The issue surfaced in 2019 after the Christchurch attacks in New Zealand, when police requested that Kiwi Farms, operated from the United States, preserve forum posts, IP addresses, and email data tied to discussions of the shootings.

Investigators often need preservation before disclosure. Court orders or mutual legal assistance can take days or weeks, while content can be changed or deleted within minutes. Without a hold in place, relevant information may disappear before lawful access is granted.

In February 2026, Eurojust indicated the European Union’s e‑evidence package is moving into application this year. A key feature is the European Preservation Order, designed to require service providers to retain specified electronic data while authorities seek access through production orders or mutual legal assistance. The framework also allows orders to be sent directly to providers, including via designated legal representatives in the EU.

Network architecture adds friction. A platform can be registered in one country, host servers in another, route traffic through several more, and serve users worldwide. Smaller forums and fringe networks may have limited or no compliance staff, making timely responses less likely even where laws apply. Larger companies with executives and offices in major markets are easier for authorities to contact.

Cooperation can shift under legal pressure. In the second half of 2024, after founder Pavel Durov’s arrest in Paris, Telegram increased the volume of user data provided to French authorities, supplying IP addresses or phone numbers in hundreds of cases after only a handful earlier in the year, company figures show.

Authorities report uneven outcomes. Major platforms with a footprint in large jurisdictions often respond faster, while smaller or offshore sites answer slowly or decline requests. Regulators have created faster, clearer paths for cross‑border preservation and production, yet outcomes still depend on where a service operates, what it stores, and its exposure to the requesting country.

The 2019 Christchurch Call set goals for reducing terrorist and violent extremist content online and created channels for cooperation among governments and technology companies. Operational enforcement and cross‑border execution continue to depend on national laws, platform policies, and the data each service retains.

For investigators, the first objective is preservation. If data expires or is removed before a court order arrives, evidence can be lost even when lawful access follows. The European Preservation Order is intended to keep data available during that legal window, though response times and coverage vary across services.