Note: in November 2011 this paper was updated and expanded, and is now entitled 'Accessing Data in the Cloud: The Long Arm of the Law Enforcement Agent'. In particular, it has a new section on law enforcement and data protection, and it discusses recent issues eg regarding the US PATRIOT Act and US access to EU personal data in cloud computing. Please see the SSRN link below for the latest version.
In an investigation involving cloud computing services, Law Enforcement Agencies (LEAs) may seek access to data held on computer systems located in foreign jurisdictions, held by foreign service providers or where the physical location of the data is unknown. A LEA investigation may focus on cloud users and/or cloud service providers through the utilisation of covert investigative techniques, such as surveillance or interception, or the exercise of coercive powers, such as search and seizure, to directly obtain the forensic material.
This research considers various forensic challenges for law enforcement in a cloud computing environment and discusses questions of vires raised by the exercise of LEA powers. When does the exercise of LEA powers in the cloud reach a jurisdictional limit, thereby becoming potentially unlawful in the LEA's domestic jurisdiction as well as in the foreign territory where they were exercised? What obligations does a service provider have to assist a LEA in an investigation, from delivering up data in response to a request, to retention of data and implementation of an intercept capability? How may LEA powers differ between obtaining data ‘at rest’ within a cloud service, as opposed to data ‘in transmission’ to, from or within the cloud service? Finally, where data is obtained ultra vires, in breach of legal rules, what impact may that have on the evidential value of such data?
For LEAs, cloud service providers and users, each of these issues presents a boundary between lawful and unlawful behaviours, or regulated and unregulated activities. This research examines how and when those boundaries apply, and what mechanisms have been adopted, or are proposed, to address the needs of LEAs in a cloud environment. This research focuses on European Union and international legal rules, particularly the Council of Europe Cybercrime Convention (2001), on obtaining data for investigative and subsequent prosecutorial purposes, and how such rules interact and potentially conflict with foreign laws and rules..
The paper by Prof Ian Walden reporting on this research is available via SSRN: 'Law Enforcement Access in a Cloud Environment'.
The slides for a presentation by Prof Walden on this research are also available.
This research has also been published, or is to be published, as follows:
- As a chapter in a book Privacy and Security for Cloud Computing: Selected Topics, to be published by Springer in its Computer Communications and Networks series, comprising selected papers from the CPSRT'2010 workshop with additional invited chapters (forthcoming)
- Law enforcement agencies access rights to your cloud data (a summary of the paper) in ComputerWorldUK, 22 July 2011
Another version of this paper has also been published by ComputerWorld UK, 29 May 2012, available here.