Cyberspace, the Cloud, and Cross-Border Criminal Investigation. The Limits and Possibilities of International Law
Tilburg Institute for Law, Technology, and Society CTLD – Center for Transboundary Legal Development, December 2014
102 Pages Posted: 6 Dec 2015
Date Written: December 20, 2014
The cloud reinforces existing challenges to digital evidence-gathering in criminal investigation, requiring not only swift action due to the vulnerability of data loss but also powers for remote data access. A particular challenge is that such remote evidence-gathering quickly extends beyond national borders. Since mutual legal assistance, despite many efforts to streamline procedures, is often still inadequate, the question is under what conditions cross-border investigations are allowed. This question is not new, but the challenges of cyber-investigation have so far not induced states to put strict interpretations of sovereignty aside.
This report aims to advance the debate on cross-border cyber-investigation by combining the fields of cyber-investigation. The central question is what limits and what possibilities exist within international law for cross-border cyber-investigations by law enforcement authorities, such as remote searches and directly contacting foreign service providers to request data. We focus particularly on questions of the legality of cross-border access to data under international law under the core principles of territorial integrity and non-interference.
The dominant interpretation of international law implies that accessing data stored on a foreign server without the prior foreign state’s consent breaches the territorial integrity of that state. The wrongfulness is not mitigated by the fact that the location of data may be unclear or unknown. The only lawful situation is where the affected state has given prior consent, on an ad-hoc basis or via a treaty (e.g., Article 32(b) Cybercrime Convention). Negotiating these limits of international law and creating new possibilities will require much effort, patience, and care.
We argue that solutions require substantial preliminary work to create a shared basis of common understanding. First, cyber-investigations challenges need to be formally recognised at the international level by state representatives. Second, problems need to be conceptualised carefully, using appropriate metaphors. Framing cyberspace as (more abstract) ‘space’ rather than as (physical) ‘place’ can make a difference in terms of thinking about solutions, as does conceiving of cross-border searches as sending and receiving messages rather than as ‘going to’ a server. Defining legal authority in terms of effective control rather than controlling territory within national boundaries may also help to understand jurisdiction in relation to ‘space’ rather than ‘place’. Third, the cyber-investigation and international law communities must familiarise themselves with each other’s language, concepts, and assumptions.
After such preliminary work, states can move forward in a two-prong approach. Long-term efforts should seek to develop a new international or widely shared multilateral legal instrument that allows narrowly defined and strongly safeguarded forms of cross-border cyber-investigations. This will take much time and effort, as the issue is simply too complex and sensitive for easy consensus. Meanwhile, in the shorter term, some states — early adopters — could start creating and enhancing the legitimacy of unilateral actions that are narrowly defined, transparently conducted, and strongly safeguarded, by advancing an alternative account of sovereignty in cyberspace. Using arguments similar to those that led to the principle of open skies in the context of remote sensing in the 1980s, these states could start suggesting a new principle of ‘open cyberspace’ in the context of cross-border access to data. Neither short-term nor long-term efforts will be easy to address the problems of cyber-investigation in the cloud era, but both are necessary if law enforcement is to move along in the 21st century.
Keywords: cloud computing, cyberspace, criminal investigation, cross-border investigation, remote search, international law, jurisdiction, sovereignty, territory, metaphor
JEL Classification: K14, K33, K42, O38
Suggested Citation: Suggested Citation