Law enforcement agencies access rights to your cloud data
An essential primer for enterprise IT professionals on data privacy and security in the cloud
Published 14:03, 22 July 11
Expedited preservation, traffic data, production orders, subscriber information
LEAs can obtain "expedited preservation of stored computer data". This power is most likely to be used against a suspect's cloud service provider, rather than the suspect.
LEAs may also obtain expedited preservation and partial disclosure of "traffic data" indicating a communication’s origin, destination, route, time, date, size, duration, or type of underlying service. This may be obtained from any type of cloud service provider (SaaS, PaaS or IaaS), and also telecommunications providers.
Obtaining access to data preserved by the provider may need a separate procedure with different authorisation requirements. This could be via:
- a "production order" against someone in "possession or control" of computer data, or
- requiring a service provider to disclose "subscriber information" (not traffic data or content, but eg the subscriber's name, address, phone number).
Generally, a cloud user "controls" data they store in the cloud; their provider "controls" metadata generated from their use of the service. So a production order could be made against a cloud user for their stored data, or against a provider for metadata about a particular customer's usage.
But "possession" can in some countries even include what's called "constructive possession". In that case, if for example a SaaS provider builds its service on IaaS (eg Dropbox on Amazon S3), technically an LEA could serve a production order on the IaaS provider for data stored via the SaaS service by a customer of the SaaS provider, without the SaaS provider even knowing about the request.
Conversely, "subscriber information" held by a service provider is limited to information relating to subscribers of its services. So, if a SaaS or PaaS service is built on IaaS (eg dotCloud's PaaS on Amazon EC2), the IaaS provider can't be asked for "subscriber information" relating to the SaaS or PaaS provider's users.
Similarly if SaaS is built on PaaS (eg Google App Engine applications or Windows Azure applications), or even SaaS on PaaS on IaaS (eg Facebook apps on Heroku on Amazon) - where neither PaaS nor IaaS provider could be asked for subscriber information regarding the SaaS provider's users. This could entail LEAs approaching several layers of providers before finding the right one.
However, procedures for LEAs to access subscriber information vary. In the UK, this is possible through administrative self-authorisation, whereas making the same request to the cloud user would normally need judicial authorisation. Such differential treatment, while helpful to LEAs, raises concerns about oversight of provider disclosures.
Search and seizure
Search and seizure orders may be made against "stored computer data". Due to their intrusiveness, generally they need judicial authorisation and would be used against a suspect, eg cloud user, rather than the suspect's cloud provider. However, a provider can still be affected by an order against its customer because the search can extend to data "in another computer system or part of it in [the LEA's] territory", as long as the data is "lawfully accessible from or available to the initial system" - eg cloud servers accessible from the initial system.
But unless the provider has structured its service on a territorial basis (eg confining storage to geographical regions, as permitted by Amazon Web Services, Windows Azure and recently Google Storage for Developers), how will the LEA know if the other system is actually on its territory, especially with cloud computing? And can the authority discover the data's location quickly enough? Therefore, the Convention allows direct access by LEAs to data in other countries, in certain situations (although a country can authorise direct access by foreign LEAs in further situations, if it wishes).
Direct access is permitted to “publicly available (open source) stored computer data" - ie data accessible without further authorisation. If there are access control restrictions, then "lawful and voluntary consent" must be obtained from someone with "lawful authority to disclose the data”. This could be the cloud user, but often it will be their provider. As our survey of standard cloud contract terms found, in most cases the provider's standard terms of service entitle it to disclose customer's data in various circumstances - ranging from receiving a valid court order, to a low threshold based on the provider’s discretion or view of its best interests.
Serving a court order on a foreign cloud service provider may render the order unenforceable, so many providers stipulate a lower threshold, accepting requests from recognised LEAs or where there's a clear and immediate need for disclosure in the public interest, such as danger to life.
Real-time collection or recording of traffic data and interception of communication content are allowed, with their own authorisation procedures. An LEA can record or collect the data itself, or compel a service provider to do so.
However, it's not always easy to distinguish between data in transmission and data at rest. For example, when a user posts a message on a SaaS application for subsequent retrieval, is the message in the course of transmission (involving interception procedures) - or is it stored computer data (requiring production or search and seizure etc procedures)?
In the UK, access to stored data generally requires a judicial warrant (eg Police and Criminal Evidence Act 1984), whereas interception of data in transmission requires an executive warrant, and access to communications data just administrative authorisation (Regulation of Investigatory Powers Act 2000).
Evidence elsewhereWhere evidence sought is located in another country, an LEA can:
- initiate formal mutual legal assistance (MLA) arrangements seeking assistance from a foreign LEA,
- cooperate informally with the foreign LEA,
- engage directly with the material sought, or
- liaise directly with the foreign service provider to request its voluntary assistance.
The Convention was intended to facilitate the first two through harmonising laws and improving international cooperation, notably on providing or exchanging information.
Formal MLA procedures have historically been slow and cumbersome. For example, in 2004, following an Italian public prosecutor's request under a MLA Treaty, US-based managed hosting company Rackspace received a subpoena for certain server log file information relating to certain URLs. To comply, Rackspace chose to shut down the identified host server, located in London not the US, and deliver copies of servers to the FBI, resulting in media organisation Indymedia and over 20 other sites being taken offline.
Interestingly, execution of a legitimate bi-lateral MLA request required implementation in a third country, the UK, with no involvement from UK LEAs or apparent consideration of legalities under English law. It seems Rackspace felt it had to exceed the terms of the request as they couldn't locate the requested files within the required timescales, illustrating the tension between the need for speed (with corresponding initiatives to reduce procedural lag), and the requested party's ability to respond appropriately.
The Convention tried to address this legacy through mechanisms that, in part, effectively blur the line between formal and informal assistance. This can improve international cooperation, but raises questions about its legality and the impact on rights of those under investigation or who experience collateral interference.
The first mechanism harmonises criminal law. This means cloud-based criminal conduct is more likely to be a criminal offence simultaneously in multiple jurisdictions - both the suspect's country and the country where the suspect's data is located. Examples include child sexual abuse images, or possessing or distributing devices (including software) designed for criminal conduct against computer systems'confidentiality, integrity and availability.
A second mechanism involves encouraging national LEAs to disclose information proactively to foreign LEAs, where it appears relevant to conduct seemingly connected to the foreign territory. This of course depends on how the strength of relations between the countries concerned, and the position of the LEAs involved.
A LEA could directly interfere with an online resource associated with a suspect, such as cloud service, to obtain evidence. However, this could constitute a criminal offence by the LEA in the domestic and/or foreign country, unless there was some statutory defence or immunity, and an authorisation and supervision regime would also be needed. Such LEA conduct, especially in a multi-jurisdiction context, is problematic on grounds of principle, legality and practicality, and is therefore not considered further.
LEAs and foreign providers
Whether an LEA can successfully obtain data by asking foreign service providers to disclose it voluntarily depends on various factors, including the provider's contractual terms on data disclosure as discussed above. Another factor is whether the foreign provider has a domestic presence, even if distinct from the service relevant to the investigation.
Facebook, for example, may store material on US servers relating to its cloud services, but its presence in the UK means there is a domestic route through which UK LEA requests can be channelled to the foreign entity. How the recipient foreign entity treats such requests will vary with internal corporate policy, but any multinational is likely to be mindful of any impact that any adverse decision may have on the position of its domestic entity.
Google's transparency reports on government requests are of interest, mapping domestic and foreign LEA requests to Google for user information as well as requests for content removal, although it doesn't show to what extent requests for user information are met or challenged, and how many requests are for information on users resident outside the country of the requesting LEA.
In 2008, a conference organised by the Council of Europe adopted Guidelines for the cooperation between law enforcement and internet service providers against cybercrime, designed to structure their interactions “in an efficient manner with due consideration to their respective roles, the cost of such cooperation and the rights of citizens.” Effective cooperation often depends on building a “culture of cooperation” between providers and LEAs. Is facilitating data disclosure (when not compelled by law) good or bad?
That depends on your perspective and trust in those involved. Some concerned about such developments might point to, for example, Amazon's decision to terminate WikiLeaks' hosting services, purportedly under pressure from the US administration.
The Guidelines recommend that LEAs "should be encouraged not to direct requests directly to non-domestic Internet service providers”, but rather use inter-state procedures under international co-operation treaties. This implicitly recognises that direct liaison with foreign service providers does occur, even if discouraged.
However, indirect requests through the domestic branch of the foreign service provider are not covered. Also, the Guidelines don't have a complementary recommendation for service providers encouraging them not to disclose in response to requests from foreign LEAs!
They recommend that service providers be encouraged to cooperate with LEAs, including reporting incidents of criminality which come to their attention. As with proactive information disclosure by foreign LEAs, this recommendation could effectively circumvent the need to comply with MLA procedures.
Service providers are also recommended to establish "criminal compliance programmes" detailing internal procedures, including “the extent that a service provider operates in multiple countries”. From a cloud perspective, mapping a service provider’s footprint of operations and data centres may facilitate the serving of LEA data requests, but wouldn't necessarily identify the country where data resides at the time of the request.
Convention vs EU law
The Convention deals with measures against a "service provider" (which could include SaaS, IaaS, PaaS and communications providers), but its definition is not mirrored in EU law.
In EU law, the main distinction is between "electronic communication services" (ECS) and "information society services" ("ISS"). ISS are primarily regulated under the Electronic Commerce Directive. SaaS, PaaS and IaaS are widely considered to be ISS, while communication services (the "pipes", internet access providers like telcos) would be ECS. However, much depends on the nature of the service being supplied in the particular circumstances. For example, Communications-as-a-Service (CaaS), a type of cloud service giving enterprises the functionality of an in-house communications system, could be seen as an ECS - or, alternatively, as an "associated facility" or "associated service", which also form part of the EU communications regime.
The uncertainties arising from the blurred boundary are illustrated well by the Communications Privacy Directive and the Data Retention Directive, which both require EU Member States to adopt measures relevant to LEA access to data processed by service providers.
The Communications Privacy Directive requires Member States to prohibit interception or surveillance of communications and related traffic data by persons other than users, except as authorised under article 15(1) (including criminal investigations and prosecutions). While the prohibition applies against all persons, including service providers and LEAs, it only applies to communications transmitted via “a public communications network and publicly available electronic communication services”. Communications over non-public networks and services would thus not be subject to the regime, although they are covered by analogous Convention provisions and national legislation may extend the scope of the prohibition. Therefore, it is unclear whether intra or inter-cloud communications are subject to this prohibition.
Article 15(1) allows Member States to authorise interception or surveillance by LEAs, without specifying conditions. The Convention states that competent LEAs should be empowered to carry out acts of interception or to compel a service provider “within its existing capability” to carry out the interception or assist LEAs.
However, many Member States go further, requiring certain entities specifically to implement a lawful intercept capability enabling LEAs to conduct or compel interception of communication content. Such "build" obligations are generally only imposed on providers of communication networks or services, as a regulated activity - which returns us to the boundary issue of whether a cloud provider can be characterised as providing a ECS or ISS.
The Data Retention Directive similarly imposes data retention obligations on “providers of publicly available electronic communication services”. A paper (annex) by the Data Retention Experts Group considered webmail and web-based messaging services (eg SaaS webmail), whether for corporates or consumers, with scenarios such as leaving messages on websites for another user.
They concluded that most such services are ISS, rather than ECS, and therefore outside the scope of the Data Retention Directive. The problems raised by the characterisation issue were highlighted by a case where a Belgian public prosecutor asked Yahoo! Inc for certain data regarding certain fraudulent behaviour conducted using Yahoo! webmail accounts, under Belgium's Criminal Procedure Code.
Yahoo! refused, arguing that: (a) US-based Yahoo! Inc was not subject to Belgian jurisdiction, so the request should have been made through MLA procedures; and (b) its service was not an "electronic communication service", and therefore not subject to the relevant order. The lower court held Yahoo! had unlawfully refused to disclose and fined Yahoo! €55k plus €10k for every day of continued refusal.
The Court of Appeal ruled however that Yahoo! was not a "provider of an electronic communication service", and so could not be required to co-operate. But then the Supreme Court held the Court of Appeal was wrong to exempt Yahoo! from application of criminal procedure provisions on the basis that the service was not an "electronic communication service" under the Belgian Electronic Communications Act 2005, as the scope of that concept under criminal law was broader than under regulatory law.
It referred the decision back to the Court of Appeal for reconsideration. This case shows that regulatory characterisation can affect the legality of LEA requests and providers' obligations to comply, potentially resulting in disputes between them.
While the admissibility and evidential weight of cloud-derived evidence obtained by LEAs will not be discussed in detail here, it should be noted that the legality of conduct may differ between the foreign jurisdiction where the evidence was obtained, and the domestic jurisdiction where the evidence is being presented.
This may affect the domestic court’s treatment of such evidence. For example, a US court denied a request for evidence obtained from a foreign computer system to be suppressed on the grounds that it breached constitutional protections, on the basis that the protection did not apply to property outside the United States. Therefore, for example, a breach of data protection rules in the course of obtaining evidence may not prevent cloud-derived evidence from being admissible, all other things being equal.
In Europe, a service's characterisation has important implications for providers' regulatory obligations and their relationships with LEAs, and the unclear regulatory boundary between provision of communication services and cloud-based services needs to be addressed. International rules on transborder evidence-gathering ill suit cloud-based processing, or indeed other computer and networking environments.
Reforms since 2000, based on harmonising legal systems and resorting to more informal inter-state mechanisms, raise issues of accountability and ensuring LEAs do not exceed their powers and interfere inappropriately with individual rights. Over-stepping may expose LEAs to liability as well as possibly affecting the evidential value of data obtained.
For transborder investigations, LEAs are directly or indirectly (ie through a domestic entity) contacting foreign service providers informally, with requests for data. Such requests shift concerns over legality from requesting LEAs to responding providers, but our research indicates that cloud providers generally cater for the possibility of law enforcement disclosures of customer data in their standard terms, thereby facilitating informal co-operation with LEAs while mitigating their legal risks.
In the cloud, the potential consequences of the many blurred boundaries can be significant (eg data at rest/in transmission; which entities can powers be exercised against, and in which territory(ies)). They are exacerbated by many cloud services' multi-jurisdictional nature.
These uncertainties may erode users' rights in their communications content, create legal, procedural and operational uncertainties for cloud service providers regarding their obligations to obtain and deliver data requested by LEAs, and cause legal uncertainties for LEAs as to the limits of their powers and which procedures to use in investigations.
The full paper by Prof Ian Walden detailing the above, and related issues such as the European Evidence Warrant, possible European Investigation Order regime and use of cloud-derived evidence, "Law Enforcement Access in a Cloud Environment", is available for free download.
Other articles in this series: