“Welcome to Our World” – Building Bridges in the Cloud

There are several challenges for national law enforcement authorities working in the global cyberspace, including the collection of evidence in the cloud, a topic that was the focus of the Council of Europe’s recent Octopus Conference on Cooperation against Cybercrime. One participant, a representative of a law enforcement authority in a small European country, spoke of his difficulty to obtain evidence to investigate local criminal activity when such evidence is in the form of digital communications stored in cloud servers based in the United States. He claimed that the procedure to get cross-border evidence is cumbersome. The U.S. government, in many circumstances, requires countries seeking, for example, a suspect’s personal emails to follow the procedures of Mutual Legal Assistance Treaties (MLATs) in order to obtain that evidence stored in the U.S.

But with the shoe on the other foot, the U.S. government is currently seeking emails stored in Microsoft’s data center in Ireland for an investigation – but it refuses to go through the same MLAT procedure, claiming that the process is too cumbersome.

Unsurprisingly, the European law enforcement representative was unsympathetic to the American government’s objection to following the same rules it imposes on others, remarking “welcome to our world.”

But this European law enforcement representative would also prefer to avoid any international procedure at all. Given that the internet is by nature interconnected globally, he thinks cloud providers can simply copy any evidence from anywhere in the world and give it to him.  Like all law enforcement investigators, he just wants to get the evidence fast and get on with his investigation.

This is understandable. But as a cloud services provider, we hear different positions from different government agencies.

Some insist that the physical location of data does and should affect what rules apply to it. Others, considering their own move to modern cloud services, want to know exactly how their data would be managed in the cloud and want reassurance that access to it would be strictly controlled. And these same agencies cannot contemplate a situation without limits on what other governments could do to gather digital records.

Different government stakeholders can create divergent, sometimes competing, demands for cloud providers. Welcome to our world.

With such different imperatives at work, there is a growing recognition of the need for clear rules about law enforcement access to data in the cloud. These should be consistent with the rule of law, as agreed upon among nations and understandable to citizens.

Efforts have already been made by organizations such as the Council of Europe and the Global Network Initiative to assess MLAT processes and recommend improvements which could make them more effective. And there have been calls for new agreements, if necessary, that can better enable law enforcement to obtain information needed for investigations across borders while respecting  peoples’ privacy.

What is clear is that the current situation is unsustainable.

Law enforcement has an important job to do to keep citizens safe. But with cross-border cloud computing services becoming the norm for data storage, public safety cannot happen without cooperation between stakeholders of all kinds, both public and private.

One of the underlying themes of the Octopus Conference was the need for law enforcement authorities to partner more systematically and effectively with cloud services providers in the private sector. Such partnership needs rules of the road, combined with a better understanding of each other’s world.