90 likes | 115 Views
This conference presentation explores the shift of law enforcement to accessing data in the cloud, discussing the volume of data, encryption, EU practices, UK law, and the need for transparency.
E N D
Lawful Access in the EU:The Pipe to the Cloud? Professor Peter Swire Ohio State University& Future of Privacy Forum Georgetown Law School Conference “Law Enforcement Access to the Cloud” March 19, 2012
Outline • Why law enforcement shift to cloud records • Volume of data up • Adoption of encryption in communications • Cloud best chance to get the data • E.U. practices for law enforcement & national security • U.K. law • Need much more transparency to compare to U.S. practices
Encrypted Communications, Now • Ahah! Make it easy for the user • Webmail - Gmail, Hotmail – 2010 • Blackberry/RIM • Virtual Private Networks • Facebook enables it • SSL standard for E-commerce (credit cards) • Skype and other VoIP The result – lawful access at ISP or local telco only gets encrypted content
Ways to Grab Communications • Break the encryption (but today is strong crypto) • Grab comms in the clear (CALEA doesn’t apply to email, data) • Grab comms with spyware before or after encrypted (not good cybersecurity) • Grab stored communications, such as in the cloud • My thesis: #4 is becoming FAR more important
UK & Data Protection • (Based on research of Ian Brown, Oxford) • Data Protection Act 1998 • L.E. & N.S. broad exemptions • Permits voluntary agreements with L.E. or N.S. agencies to turn over stored records • E.U. Data Retention Directive in effect, despite data protection authority concerns
U.K. & Lawful Access • Regulation of Investigatory Powers Act 2000 • Subscriber and traffic data, no court order • Telecomm providers must facilitate lawful interception, similar to CALEA • Counter Terrorism Act 2008 • Appears to override obligations of confidentiality, for disclosure to intelligence agencies • For content intercepts • Automated search appears OK if originate or terminate outside of UK
EU & US on Lawful Access • How to resolve the EU allegations that cloud services should be kept in the EU due to “Patriot Act”? • Resolution requires a good comparison of EU & US • Transparency • U.K. law may well have less court supervision than U.S. law • Lack of clear description of law elsewhere in E.U. • Even less transparency about actual practice: “difficult to ascertain” • Dropping L.E. & N.S. from the draft Regulation sign of continued lack of transparency • Should resolve growing dispute based on accurate understanding, not allegations