The nature of the cloud services inherently does not have much respect for geographical boundaries (although, some providers do apply certain zoning for their users and that might effect the law enforcement agency (LEA)’s work). This feature results in serious challenges for the LEAs, who do have to respect the sovereignty of other jurisdictions while carrying out their duties.

Before the cloud era the Mutual Legal Assistance (MLA) was used mainly as a general approach on behalf of the LEA in order to obtain certain evidences from foreign sources. However, it appears to be too slow and bureaucratic when applied to computer-derived data, especially from cloud services.

Cloud service providers – for the sake of the best service quality and cost efficiency – provide their services in a specific way (e.g. storage of user data in multiple locations, usually in fragments and under a certain level of security, while the identity of the user is not necessarily sure).  Identification of the competent jurisdiction is not easy either. Additional problem for the LEA is that sometimes the meta data of the given virtual evidence is just as important as the evidence itself, however the integrity of such data is easily compromised and therefore the evidence itself may lose its value in the eyes of the judicial forum (despite all the efforts involved in obtaining the evidence). This is why the way of obtaining the virtual evidence is more important than ever before.

Due to several technical reasons (e.g. encrypted transition of the data) and the probable lack of co-operation of the data subjects, it seems that the LEAs have their best chances to get what they need with the cloud providers (besides the telecommunication service providers, who are already obliged to cooperate with domestic LEAs under statutory regulations). However, cloud service providers are not that easily regulated on a domestic/national level.

LEAs of different nations apply different standards of procedure (e.g. to the same type of data requests they might require judicial, executive or only and administrative authorisation). However, the recognition of such authentication may not be acceptable by the foreign executing state organ, or vica versa, the way of execution of a certain request by a foreign entity may not be acceptable by the domestic authorities under domestic procedural standards.

In order to have some level of standardisation and efficiency increase with respect to cross-border law enforcement involving virtual evidence acquiring, in 2001 the Cybercrime Convention has been introduced (by now it has 54 signatories)1. This is relevant from the perspective of formal co-operation of LEAs of the ratifying states. Nevertheless, a more direct approach is often applied by some LEAs, when a cloud provider is asked for voluntary assistance (although it is discouraged by the Council of Europe) and LEAs are risking to lose the benefits of the provided evidence due to the breach of procedural rules. The implementation of a criminal compliance programme is also recommended by the Council of Europe for service providers in order to ease the assistance to LEAs.

Proactive informal co-operation of LEAs with respect to cross-border criminal activities can serve as a solution to jurisdictional problems regarding data in the clouds, however it also raises many concerns.

 

1 https://en.wikipedia.org/wiki/Convention_on_Cybercrime

Source: Cloud Computing Law- Edited by Christopher Millard (2013)