24 Pages Posted: 10 Mar 2011 Last revised: 11 Apr 2015
Date Written: November 14, 2011
In an investigation involving cloud computing services, Law Enforcement Agencies (LEAs) may seek access to data held on computer systems located in foreign jurisdictions, held by foreign service providers or where the physical location of the data is unknown. A LEA investigation may focus on cloud users and/or cloud service providers through the utilisation of covert investigative techniques, such as surveillance or interception, or the exercise of coercive powers, such as search and seizure, to directly obtain the forensic material.
This article considers various forensic challenges for law enforcement in a cloud computing environment and discusses questions of vires raised by the exercise of LEA powers. When does the exercise of LEA powers in the cloud reach a jurisdictional limit, thereby becoming potentially unlawful in the LEA's domestic jurisdiction as well as in the foreign territory where they were exercised? What obligations does a service provider have to assist a LEA in an investigation, from delivering up data in response to a request, to retention of data and implementation of an intercept capability? How may LEA powers differ between obtaining data ‘at rest’ within a cloud service, as opposed to data ‘in transmission’ to, from or within the cloud service? Finally, where data is obtained ultra vires, in breach of legal rules, what impact may that have on the evidential value of such data?
For LEAs, cloud service providers and users, each of these issues presents a boundary between lawful and unlawful behaviours, or regulated and unregulated activities. This article examines how and when those boundaries apply, and what mechanisms have been adopted, or are proposed, to address the needs of LEAs in a cloud environment. This article focuses on European Union and international legal rules, particularly the Council of Europe Cybercrime Convention (2001), on obtaining data for investigative and subsequent prosecutorial purposes, and how such rules interact and potentially conflict with foreign laws and rules.
Keywords: Cloud Computing, Confidentiality, Conflict of Laws, Contract, Crime, Criminal Law, Cybercrime, Data Disclosure, Data Privacy, Data Protection, Data Retention, EU, European Union, Evidence, Forensics, Interception, Internet, Jurisdiction, Law Enforcement, Law Enforcement Agencies, Legal Issues
Suggested Citation: Suggested Citation
Walden, Ian, Accessing Data in the Cloud: The Long Arm of the Law Enforcement Agent (November 14, 2011). Queen Mary School of Law Legal Studies Research Paper No. 74/2011. Available at SSRN: https://ssrn.com/abstract=1781067 or http://dx.doi.org/10.2139/ssrn.1781067
By Chris Reed