Presentation Transcript

1. The challenges of cloud-derived evidence

   Professor Ian Walden Centre for Commercial Law Studies, Queen Mary, University of London
2. Introductory remarks Cloud computing A new ICT paradigm? Crime follows opportunity.... An environment for obtaining evidence Addressing the data problems Exercising law enforcement powers Legality & enforceability Jurisdictional reach Evidential impact
3. Cloud computing ‘X as a Service’ Software, Platform or Infrastructure: SaaS, PaaS & IaaS Flexible, location-independent, on-demand, shared, virtualised Cloud multi-layered ecosystem Service providers Infrastructure providers Communication providers Deployment models Public, private, community or hybrid
4. Forensic challenges in the Cloud Multiplicity e.g. Data replication for performance, availability, back-up & redundancy Distributed storage e.g. ‘sharding’ and ‘partitioning’ The ‘loss of location’ Protected data e.g. cryptography Identity Establishing links
5. Identity Target IP address e.g. 38.111.64.2 generated by application being utilised IP holder ‘whois’ enquiry of regional, national or local registry databases Logging history e.g. DHCP allocation log Subscriber details e.g. Credit card details
6. CSP-derived data Content & communications data ‘in transmission’ or ‘at rest’ Edmondson & ors v R [2013] EWCA Crim 1026 Expedited preservation (‘quick freeze’) Cybercrime Convention, arts. 16-17 Data retention Data Retention Directive 06/24/EC 6-24 months Rights of access ‘serious crime’ or ‘crime’
7. Protected data Another data problem! ‘going dark’ ‘access’ & ‘conversion’ protections Legal constraints Time limits Legal response Criminalise the use Obligation to assist Break the protection
8. Criminalise use Control export, import, use Export control regulations: ‘Wassenaar Arrangement’ Dual-use technologies, Category 5, Part 2: ‘Information Security’ Breach of regulations is a criminal offence Use in criminal activity e.g. State of Virginia (US), Computer Crime Act at § 18.2-152.15: ‘Encryption used in criminal activity’ “an offense which is separate and distinct from the predicate criminal activity”
9. Obligations to assist Cybercrime Convention, art. 19(4) “to empower its competent authorities to order any person who has knowledge about the functioning of the computer system or measures applied to protect the computer data” Regulation of Investigatory Powers Act 2000 RIPA Pt I: ‘Interception Section 12 Notice RIPA Pt III: ‘Investigation of Protected Electronic Information’ Delivery-up of ‘key’: Failure to disclose (s. 53): 2 yr term (5 yrs for national security & child indecency cases) Cutler [2011] EWCA Crim 2781: “a very serious offence because it interferes with the administration of justice” Padellec[2012] EWCA Crim 1956
10. Breaking the protection Ex ante measures Mandating technology e.g. US ‘key escrow’ & ‘Clipper Chip’ (1995) Influencing the standards e.g. Dual EC DRBG standard Ex post arrangements Expert resources e.g. UK: National Technical Assistance Centre Hacking e.g. NSA’s ‘Tailored Access Operations’ Based more on stolen goods than maths!
11. Human rights concerns ECHR Article 6 – right against self-incrimination S and A [2008] EWCA Crim 2177:“an existence independent of the will of the suspect” US, 5th Amendment Boucher2009 WL 424718 (D.Vt.) Requirement to produce an unencrypted drive did not constitute compelled testimonial communication. Kim 2009 WL 5185389 (US District Court for the Southern District of Texas 2009) Exceeding scope of warranted search & inapplicable ‘plain view doctrine’ resulted in suppression of child sexual abuse images discovered in encrypted folders
12. Law enforcement Law enforcement access Covert & coercive investigative techniques Request recipients Cloud users Suspect, victim or 3rd party Cloud providers Service providers Infrastructure providers Communication providers Within & beyond the territory
13. LEA investigative powers ‘Exercising a power’ Permissible & impermissible conduct e.g. entrapment Expedited preservation, retention & delivery-up Differential authorisation Judicial, executive or administrative Issues of legality & enforceability Obtaining authorisation Executing the authorisation Recipient’s actions e.g. Rackspace (2004)
14. Jurisdictional reach Cybercrime Convention (2001) Production order (art. 18) Person ‘in its territory’ or ‘offering its services in the territory’ with ‘possession or control’ Rackspace (2013) Search & seizure Domestic networks (art. 19) International networks (art. 32) Open source or lawful and voluntary consent of the person who has lawful authority to disclose Other forms are ‘neither authorised, nor precluded’ Contractual provisions
15. International co-operation Mutual legal assistance From harmonisation to mutual recognition Convention on Cybercrime TFEU, art. 82: European Evidence Warrant & European Investigation Order Informal co-operation with foreign LEAs Proactive disclosure & 24/7 networks Direct liaison with foreign service providers Council of Europe Guidelines (2008) e.g. Google ‘Transparency Report Engage directly with the material sought
16. Cloud-derived evidence ‘fair trial’ and ‘due process’ considerations Regulating investigative practices? Schenk v Switzerland (1991) 13 E.H.R.R. 242 United States v Gorshkov(2001) Admissibility Statutory rules RIPA, s. 17 - Inadmissibility of UK intercept product Judicial discretion PACE, s. 78 Impact of lawfulness of obtaining, e.g. Suppression Evidence gathered under MLA
17. Probative value Provenance issues with remote & protected data Need for experts Authenticity Link person/material test Computer source test <A HREF..>, <IMG SRC...> Integrity ‘Operating properly’ test e.g. Waddon(1999): ‘mere post boxes’ Accountability Acquisition test Chain of custody test
18. Concluding remarks Clouds & the ‘loss of location’ Exceeding powers in application or reach Surrendering sovereignty From formality to informality Issues of accountability & oversight Harmonisation limitations Building a ‘culture of co-operation’! e.g. Amazon & WikiLeaks Evidential implications