Accessing Data in the Cloud: The Long Arm of the Law Enforcement Agent
Queen Mary University of London, School of Law
November 14, 2011
Queen Mary School of Law Legal Studies Research Paper No. 74/2011
In an investigation involving cloud computing services, Law Enforcement Agencies (LEAs) may seek access to data held on computer systems located in foreign jurisdictions, held by foreign service providers or where the physical location of the data is unknown. A LEA investigation may focus on cloud users and/or cloud service providers through the utilisation of covert investigative techniques, such as surveillance or interception, or the exercise of coercive powers, such as search and seizure, to directly obtain the forensic material.
This article considers various forensic challenges for law enforcement in a cloud computing environment and discusses questions of vires raised by the exercise of LEA powers. When does the exercise of LEA powers in the cloud reach a jurisdictional limit, thereby becoming potentially unlawful in the LEA's domestic jurisdiction as well as in the foreign territory where they were exercised? What obligations does a service provider have to assist a LEA in an investigation, from delivering up data in response to a request, to retention of data and implementation of an intercept capability? How may LEA powers differ between obtaining data ‘at rest’ within a cloud service, as opposed to data ‘in transmission’ to, from or within the cloud service? Finally, where data is obtained ultra vires, in breach of legal rules, what impact may that have on the evidential value of such data?
For LEAs, cloud service providers and users, each of these issues presents a boundary between lawful and unlawful behaviours, or regulated and unregulated activities. This article examines how and when those boundaries apply, and what mechanisms have been adopted, or are proposed, to address the needs of LEAs in a cloud environment. This article focuses on European Union and international legal rules, particularly the Council of Europe Cybercrime Convention (2001), on obtaining data for investigative and subsequent prosecutorial purposes, and how such rules interact and potentially conflict with foreign laws and rules.
Number of Pages in PDF File: 24
Keywords: Cloud Computing, Confidentiality, Conflict of Laws, Contract, Crime, Criminal Law, Cybercrime, Data Disclosure, Data Privacy, Data Protection, Data Retention, EU, European Union, Evidence, Forensics, Interception, Internet, Jurisdiction, Law Enforcement, Law Enforcement Agencies, Legal Issues
Date posted: March 10, 2011 ; Last revised: April 11, 2015