Criminal Justice Access to Data in the Cloud: Cooperation with “Foreign” Service Providers
Page Count: 38 pages
Date: May 3, 2016
Originating Organization: Council of Europe, Cybercrime Convention Committee
File Type: pdf
File Size: 555,121 bytes
File Hash (SHA-256):A66EEB1A5F8C37F33B3F16374A46EA655168CBD3F226551050C878D1D8531F32
The Cybercrime Convention Committee (T-CY), at its 12th plenary (2-3 December 2014), established a working group to explore solutions to access for criminal justice purposes to evidence in the cloud, including through mutual legal assistance (“Cloud Evidence Group”). The Cloud Evidence Group is to submit a report to the T-CY with options and recommendations for further action by December 2016.
In 2015, the T-CY Cloud Evidence Group, following a discussion paper summarizing the challenges of criminal justice access to data in the cloud (published in May 2015 and discussed at the Octopus Conference in June 2015), held a hearing for providers on 30 November 2015 which focused on the direct cooperation by criminal justice authorities with service providers in foreign jurisdictions:
Often a prosecution or police authority (a “law enforcement authority”) of a Party to the Budapest Convention requests a service provider in another jurisdiction for data in relation to a specific criminal investigation. Typically, subscriber information is sought from multinational service providers with their headquarters in the USA (“US service providers”). Some of them have subsidiaries in Europe or elsewhere.
Transparency reports published by US service providers indicate that they respond positively to about 60% of such requests “on a voluntary basis”.
Article 18 Budapest Convention covers “production orders” and Article 18.1.b specifically the production of subscriber information by a service provider “offering its services on the territory of the Party”:
Article 18 – Production order
1 Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to order:
a a person in its territory to submit specified computer data in that person’s possession or control, which is stored in a computer system or a computer-data storage medium; and
b a service provider offering its services in the territory of the Party to submit subscriber information relating to such services in that service provider’s possession or control.
The Explanatory Report (paragraph 171) to the Budapest Convention indicates Article 18 was also intended to cover situations of voluntary cooperation:
171. A “production order” provides a flexible measure which law enforcement can apply in many cases, especially instead of measures that are more intrusive or more onerous. The implementation of such a procedural mechanism will also be beneficial to third party custodians of data, such as ISPs, who are often prepared to assist law enforcement authorities on a voluntary basis by providing data under their control, but who prefer an appropriate legal basis for such assistance, relieving them of any contractual or non-contractual liability.
The purpose of the present background paper is to provide a snapshot of policies and practices of some major US service providers regarding their “voluntary” disclosure of information to law enforcement authorities in foreign jurisdictions, and thus to facilitate discussion of future options regarding criminal justice access to electronic evidence in the cloud.