Abstract
When placing data in the cloud, users inevitably have concerns about unauthorised access to such data, exposing commercial secrets and breaching individual privacy. While such threats are primarily directed towards organised crime, access by law enforcement agencies in the course of an investigation has itself become a heightened privacy and security concern, particularly in relation to US authorities in a market where US-based cloud providers dominate. From a law enforcement perspective, the cloud represents the latest manifestation of a transnational environment within which they have to operate, presenting a multitude of conflicting laws. This chapter examines how rules, at a European and international level, attempt to balance the needs of law enforcement with the needs of users and providers of cloud services.
This chapter was written under the auspices of the Queen Mary, University of London Cloud legal Project: http://www.cloudlegal.ccls.qmul.ac.uk/index.html
Endnotes
1. See ‘Deutsche Telekom wants ‘German Cloud’ to shield data from US’, Business Week, 14 September 2011.
2. CETS No. 185, entered in force 1 July 2004 (‘the Convention’).
3. For example, CRN’s ‘Cloud 100: The Top 100 Cloud Computing Vendors Of 2011’, available at http://www.crn.com/news/cloud/index/100-cloud-computing-vendors.htm
4. The full title is: ‘Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001’, Pub. Law. 107–156.
5. The distinction between data ‘at rest’ and ‘in transmission’ does not denote the technical state of the data since data held by a cloud service provider, i.e. ‘at rest’ may be regularly ‘in transmission’ between internal resources of the service provider, for example, using load balancing. Rather the phrases are used to indicate a legal distinction between LEA powers of access to data.
6. For the purpose of this article, ‘infrastructure’ refers to any component of the cloud service, not an IaaS.
7. Particularly as user applications may be configured not to record such interactions, for example, Microsoft Internet Explorer’s ‘InPrivate’ browsing setting [15].
8. For example, ACPO, Good Practice Guide for Computer based Electronic Evidence, 4th ed., October 2008.
9. Application programming interfaces specify the manner in which software programs communicate with each other.
10. See Spoenle, J.: ‘Cloud Computing and cybercrime investigations: Territoriality vs. the power of disposal’, Council of Europe Discussion paper, 31 August 2010 (2010).
11. See, for example, Veolia ES Nottinghamshire Limited v. Nottingham County Council & ors [2010] EWCA Civ 1214, at paras 117–122.
12. The Explanatory Report purposely leaves flexibility to States, see paras. 137 and 187.
13. Council of Europe Recommendation No R(95)13, ‘concerning problems of procedural law connected with information technology’, at Principle 4.
14. Number of signatories is correct as of 14 November 2011. The United States ratified the Convention in January 2007 and the United Kingdom in May 2011.
15. For example, in the UK, for example, access to stored data generally occurs under a judicial warrant (e.g. Police and Criminal Evidence Act 1984, s. 9); the interception of data in transmission requires an executive warrant (Regulation of Investigatory Powers Act 2000 (‘RIPA’), s. 5), while access to communications data occurs under an administrative authorisation (Ibid., s. 22).
16. For example, the incitement of crime through the actions of ‘agent provocateurs’ may breach an individual’s right to a fair trial, under art.6 of the ECHR. See Teixeira de Castro v. Portugal (1998) 28 EHRR 101.
17. For example, for an express limitation, see the Police Act 1996, s. 30(1), while the presumption was recently restated in R (Al-Skeini) v. Secretary of State for Defence [2008] 1 AC 153, 45.
18. For example, Zheng v. Yahoo! Inc., 2009 WL 4430297 at *4, No. C-08–1068 MMC (Dec. 2, 2009), where representatives of the China Democracy Party tried unsuccessfully to bring an action for violation of the ECPA.
19. For example, Suzlon Energy Ltd v. Microsoft Corp., (2011), US Court of Appeals for the 9th Circuit, unreported, where the court held that the ECPA protected the domestic communications of any person not just US citizens.
20. Under UK law, the terminology is ‘possession, custody or power’ (e.g. Terrorism Act 2000, Sch. 5, para. 5), while US law refers to ‘possession, custody or control’ (e.g. Federal Rules of Civil Procedure, at Rules 26 and 34; Federal Rules of Criminal Procedure, Rule 16).
21. Convention Explanatory Report, at para. 173.
22. Similar to the EU data protection law, i.e. Directive 95/46/EC, art. 2(d).
23. Convention Explanatory Report, at para. 38.
24. For example, United States v. Vetco, Inc., 691 F.2d 1281 (9th Cir. 1981), where the court required the US entity to produce data held by a subsidiary outside of the US.
25. For example, the Yahoo! Belgium case discussed below.
26. Regulation of Investigatory Powers Act 2000, Part I, Chapter II. It should be noted, however, that the Protection of Freedoms Bill 2011, cl. 37, will amend this to require judicial authorisation in respect of requests made by ‘local authorities’.
27. In the UK, the Police and Criminal Evidence Act 1984, s. 20, contains a similar provision.
28. For example, Amazon offers its customers ‘regional zones’, i.e. a US or European cloud. See further [4], at p. 28.
29. However, the provision does not represent consensus among Council of Europe member states. In particular, Russia does not accept art. 32(b) and wants it either amended or a supplementary agreement between the parties as to its meaning, prior to becoming party to the Convention.
30. [4] at 4.9. For Apple’s recently launched iCloud service, the privacy policy states that it will disclose personal information if necessary ‘by law, legal process, litigation, and/or requests from public and governmental authorities within or outside your country of residence’, as well as where Apple ‘determine that for purposes of national security, law enforcement, or other issues of public importance, disclosure is necessary or appropriate’ (www.apple.com/privacy).
31. For example, Microsoft Online Services, Trust Center, ‘Data Use Limits’ states that, in the first instance, Microsoft will redirect an LEA to the customer, while if required to respond to the LEA request, it will ‘use commercially reasonable efforts to notify the enterprise customer in advance of any production unless legally prohibited’ (available at www.microsoft.com/online/legal/v2/?docid=23, as of 4 November 2011).
32. Sherman, M.: At Dropbox, even we can’t see your dat- er, nevermind (19 April 2011), available at http://www.bnet.com/blog/technology-business/-8220at-dropbox-even-we-cant-see-your-dat-8211-er-nevermind-8221-update/10077 (2011).
33. The Convention on Mutual Assistance in Criminal Matters between the Member States of the European Union established by Council Act of 29 May 2000 (OJ C 197, 12.7.2000). An Explanatory Report has been published at OJ C 379, 29.12.2000, p. 7.
34. The ‘gateway’ may be the earth station controlling the telemetry, tracking and operation of the satellite.
35. Explanatory Report at para. 20.
36. See generally www.eff.org/Censorship/Indymedia/
37. In response to Parliamentary questions from MPs, Richard Allan and Jeremy Corbyn (20.10.04, Col. 725 W), John McDonnell MP (27.10.04, Col. 1278 W) and Lynne Jones (11.11.04, Col. 895 W), to Home Office minister Caroline Flint, who replied: ‘I can confirm that no UK law enforcement agencies were involved in the matter’.
38. CETS No. 30, entered into force 12 June 1962. The Council of Europe includes non-EU member states.
39. An additional Protocol was adopted in 1978 (CETS No. 99) and a Second Additional Protocol in 2001 (CETS No. 182).
40. Convention implementing the Schengen Agreement (OJ L 239/19, 22.09.2000), at arts. 48–53.
41. Council Framework Decision 2003/577/JHA of 22 July 2003 on the execution in the European Union of orders freezing property or evidence; OJ L 196/45, 2.8.2002.
42. Council Framework Decision 2008/978/JHA of 18 December 2008 on the European evidence warrant for the purpose of obtaining objects, documents and data for use in proceedings in criminal matters; OJ L 350/72, 30.12.2008.
43. See Press Release from the Justice and Home Affairs Council Meeting, 9409/06 (Presse 144), 1–2 June 2006.
44. Directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC, OJ L 105/54, 13.4.2006.
45. Council of the European Union, 2010/0817 (COD), 29 April 2010 (‘EIO Proposal’).
46. ‘The Stockholm Programme – An open and secure Europe serving and protecting citizens’ (OJ C 115/1), 4.5.2010.
47. Ibid., at 3.1.1., para. 4.
48. EIO Proposal, at art. 12(1).
49. In May 2011, Twitter announced it was opening a London office at a time when it was accused of facilitating breaches of a privacy injunction against the footballer Ryan Giggs and subject to a court order requiring it to deliver up details concerning its users.
50. Available at http://www.google.com/transparencyreport/
51. Available at http://www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/documents/lea_isp/default_EN.asp
52. For example, mandatory sign-off by in-house counsel.
53. For example, The Guardian, ‘WikiLeaks website pulled by Amazon after US political pressure’, 2 December 2010.
54. Guidelines, at para. 36.
55. Ibid., at para. 42. Service providers are not, however, expected to ‘actively search for facts or circumstances indicating illegal activities’.
56. Ibid., at para. 50.
57. Directive 2002/21/EC on a common regulatory framework for electronic communications networks and services (OJ L 108/33, 24.4.2002), at art. 2(c).
58. Directive 2000/31/EC on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (OJ L 178/1, 17.7.2000).
59. See, for example, http://www.caas.com/Pages/default.aspx
60. Framework Directive, at art. 2(e) and (ea), respectively.
61. For example, under the UK Regulation of Investigatory Powers Act 2000, s. 2, it is an offence to intercept a transmission carried by means of a private telecommunication system.
62. For example, Belgium, Germany, Netherlands, Italy, Mexico, Russia, Spain, Switzerland and the UK.
63. Note, however, the ongoing dispute between RIM, the manufacturer of the Blackberry device and law enforcement agencies in Saudi Arabia and India: for example, http://www.arabianbusiness.com/blackberry-s-response-rim-statement-in-full-339572.html
64. Commission Decision 2008/324/EC setting up the ‘Platform on Electronic Data Retention for the Investigation, Detection and Prosecution of Serious Crime’ group of experts; OJ L 111/11, 23.4.2008.
65. DATRET/EXPGRP (2009) 2 Final – 03 12 2009.
66. Court of Dendermonde, Not. nr. DE 20.95.16/08/26, 2 March 2009.
67. Court of Appeal of Ghent of 30 June 2010.
68. Supreme Court, Nr. P.10.1347.N, 18 January 2011.
69. 12 October 2011.
70. 18 U.S.C. § 2510(15) and § 2711(2), respectively.
71. 18 U.S.C. § 2703(a) and (b), respectively.
72. 50 USC § 1881(a)(4). These provisions were inserted in by the FISA Amendments Act of 2008, s. 701(b)(4).
73. For example, European Parliament resolution ‘on the interception of bank transfer data from the SWIFT system by the US secret services’ (P6_TA-PROV(2006)0317), which raises concerns about privacy as well as ‘large-scale forms of economic and industrial espionage’.
74. Council Framework Decision 2008/977/JHA on the protection of personal data processed in the framework of police and judicial co-operation in criminal matters (OJ L 350/60, 30.12.2008) (‘2008 Decision’).
75. OJ L 281/31, 23.11.1995, at art. 3(2).
76. See Commission Communication, ‘A comprehensive approach on personal data protection in the European Union’, COM (2010) 609 final, 4.11.2010, at 2.3. See also Commission proposed Directive of the European Parliament and Council ‘on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data’ COM(2012) 10 final, 25.1.2012.
77. 2008 Decision at art. 13.
78. OJ L 181/34, 19.7.2003, at art. 9. The Agreement entered into force on 1 February 2010, after all Member States had aligned their bilateral MLAs with the US.
79. Ibid., art. 9(2).
80. Ibid., at 25(1) and (2), respectively.
81. For example, UK, Data Protection Act 1998, Sch. I, Pt. I, para. 8; Germany, Federal Data Protection Act, s. 4(b)(5).
82. Supra n. 106, at art. 25(6).
83. WP12 ‘Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU Data Protection Directive’, July 1998.
84. Council Decision 2000/520/EC, L 215/7, 25.8.2000, which expressly permit derogation ‘to the extent necessary to meet….law enforcement requirements’.
85. Council Decision 2006/729/CFSP/JHA (OJ L 298/27, 27.10.2006), extended by Council Decision 2007/551/CFSP/JHA.
86. Supra n. 106, art. 26(1)(d).
87. Opinion 1/2006 ‘on the application of EU data protection rules to internal whistle-blowing schemes in the fields of accounting, internal accounting controls, auditing matters, fight against bribery, banking and financial crime’, WP 117, 1.2.2006; Opinion 10/2006, ‘on the processing of personal data by the Society for Worldwide Interbank Financial Telecommunication (SWIFT)’, WP 128, 22.11.2006.
88. Analogous to the ‘double criminality’ requirement in international criminal law.
89. For example, even hearsay evidence recorded and stored by a cloud service provider is real evidence of the fact the recording was made.
90. Such jurisdiction may arise under statute (e.g. criminal procedure code) or be inherent to the court (e.g. abuse of process). See, for example, the US exclusionary doctrine based on the ‘fruit of the poisonous tree’ metaphor.
91. Schenk v. Switzerland (1991) 13 E.H.R.R. 242.
92. For example, Herring v. United States 555 US (2009).
93. United States v. Gorshkov, 2001 WL 1024026 (W.D. Wash. 2001), at *3.
94. Ibid., at p. 46.
95. See Jespers v. Belgium (1981) 27 DR 61 and X v. FRG (1984) 8 E.H.R.R. 225.
96. EIO Proposal at art. 8(3).
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Book
Casey, E.: Handbook of Digital Forensics and Investigations. Academic, London (2009)
Walden, I.: Computer Crimes and Digital Investigations. OUP, Oxford (2007)
Journal Article
Boister, N.: Transnational criminal law? Eur. J. Int. Law. 14, 953, 960 (2003)
Bradshaw, S., Millard, C., Walden, I.: Contracts for clouds: a comparative analysis of terms and conditions for cloud computing services. Int. J. Law Inf. Technol. 19(3), 187–223 (2011)
Couillard, D.A.: Defogging the cloud: applying fourth amendment principles to evolving expectations in cloud computing. Minn. Law Rev. 93, 2205 (June 2009)
de Hert, P., Kopcheva, M.: International mutual legal assistance in criminal law made redundant: a comment on the Belgian Yahoo! case. Comput. Law Secur. Rev. 27, 291–297 (2011)
Hon, K., Millard, C., Walden, I.: The problem of ‘personal data’ in cloud computing – what information is regulated? Int. Data Privacy Law 1(4), 211–228 (2011)
Kapranos Huntley, A.: The Protection of Trading Interests Act 1980: some jurisdictional aspects of enforcement of antitrust laws. Int. Comp. Law Quart. 30, 213–216 (1981)
Loof, R.: Obtaining, adducing and contesting evidence from abroad: a defence perspective on cross-border evidence. Crim. Law Rev. 1, 40–57 (2011)
O’Floinn, M., Ormerod, D.: Social networking sites, RIPA and criminal investigations. Crim. Law Rev. 10, 766–789 (2011)
Reidenberg, J.: Technology and internet jurisdiction. Univ. Pa. Law Rev. 153, 1951 (2005)
Robinson, W.J.: Free at what cost?: cloud computing privacy under the stored communication act. Georgetown Law J. 98, 1195 (April 2010)
Online Article (No DOI Available)
Hon, W.K., Hörnle, J., Millard, C.: Data protection jurisdiction and cloud computing – when are cloud users and providers subject to EU data protection law? The Cloud of Unknowing, Part 3 (September 7, 2011). Available at SSRN: http://ssrn.com/abstract=1924240 (2011)
Peers, S.: The proposed European investigation order: assault on human rights and national sovereignty. Statewatch Analysis, May 2010. Available at http://www.statewatch.org/analyses/no-96-european-investigation-order.pdf and http://www.statewatch.org/analyses/no-112-eu-eio-update.pdf (2010)
Schwerha IV, J.J.: Law enforcement challenges in transborder acquisition of electronic evidence from ‘cloud computing providers’ (January 15, 2010). Available at http://www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/Documents/Reports-Presentations/2079_reps_IF10_reps_joeschwerha1a.pdf (2010)
Spoenle, J.: Cloud computing and cybercrime investigations: territoriality vs. the power of disposal (August 31, 2010). Available at http://www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/Documents/Internationalcooperation/2079_Cloud_Computing_power_disposal_31Aug10a.pdf (2010)
Whittaker, Z.: EU demands answers over Microsoft’s Patriot Act Admission (September 19, 2011). http://www.zdnet.com/blog/igeneration/eu-demands-answers-over-microsofts-patriot-act-admission/11290 (2011, September 19)
Whittaker, Z.: Dutch government to ban U.S. providers over Patriot Act concerns. ZdNet, 19 Sept 2011. http://www.zdnet.com/blog/btl/dutch-government-to-ban-us-providers-over-patriot-act-concerns/58342?tag=search-results-rivers;item3 (2011)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag London
About this chapter
Cite this chapter
Walden, I. (2013). Accessing Data in the Cloud: The Long Arm of the Law Enforcement Agent. In: Pearson, S., Yee, G. (eds) Privacy and Security for Cloud Computing. Computer Communications and Networks. Springer, London. https://doi.org/10.1007/978-1-4471-4189-1_2
Download citation
DOI: https://doi.org/10.1007/978-1-4471-4189-1_2
Published:
Publisher Name: Springer, London
Print ISBN: 978-1-4471-4188-4
Online ISBN: 978-1-4471-4189-1
eBook Packages: Computer ScienceComputer Science (R0)