Did an interesting raid yesterday assisting local enforcement officers. Customer management database (which is what they really wanted) was cloud based with the data being held in California (we were in London), really makes the team concetrate on their exact legal powers and how far they can go in terms of extracting the data.
To make things even more messy, to save costs, employees had to bring their own laptops in to access the database.
That does sound very messy indeed 😯
Do you have any power to access the employee laptops? or is that out of the question as it is the employees own personal belongings?
Have you formulated any approaches by which you will be able to get hold of the db?
I wondered if you could go down the path of an employee assisting - but something seems so wrong with
to save costs, employees had to bring their own laptops in to access the database.
I can't help but have the thought "to save costs..? really?" going round in my head and wondering if you have a whole office full of complicit employees.
well just because a helpful employee is willing to export the data from the database into a locally accessable form does not mean to say that it is a process that is legal from the point of view of powers
If that export is done without the consent of the "controlling mind" of the company, it could get very messy.
Indeed - you'd need to seek cooperation from someone with a sufficient degree of authority. Your scenario raises so many interesting avenues for discussion.
Did you manage to get anywhere in terms of getting hold of the db in question?
don't want to go into too much detail as it's a live case but the legal principles are of interest
so the custodian company of the cloud is in California, USA, you are in UK, but where is the actual data?
What other jurisdiction the cloud spread out to? How does that jurisdiction view privacy laws as far as that data is concerned?
We are seeing more and more of this. It is a real trick when dealing with cross border issues and just the general collection of the data in a defensible manner from 3rd party hosts. Companies like Intuit are pushing hard for cloud hosted solutions for all sizes of companies for CRM, accounting, etc. and Google hosted intranet solutions are a whole area of interest as well (and from what I am finding possibly full of security holes). Then there are a bunch of companies doing Exchange hosting.
First step is trying to get cooperation with the suspects/opponents to access their systems via your local court authority. This takes some lawyering and can be successful but because time is a issue so you want to make sure that you can get a preservation and/or restraining order in ASAP to make sure they are aware they cannot delete anything. Tricky thing here as well is that cloud storage doesn't generally have a file system that you can pull a file table down that you can track C,A,M,D so if things are changed you need access logs form the host. Also research what audit and back up capabilities the host has to see if you can roll back to another date and time to compare data. Getting the access to the host will take legal paperwork but put them on notice with a preservation letter of some sort.
There are of course lots of jurisdictional issues that arise and it is always good to get local to the host legal authority, cooperation and help.
Ah, yes the personal computer used for work is always a fun scenario and usually results in a ton of paper work for protective orders. We like to push for immediate on-site image, bag, tag and seal two copies and then leave with the other side as a worse case scenario. This way legal teams can fight over the inspection or access but the preservation is done. If they damage or lose the evidence it is on them.
so the custodian company of the cloud is in California, USA, you are in UK, but where is the actual data?
What other jurisdiction the cloud spread out to? How does that jurisdiction view privacy laws as far as that data is concerned?
enquiries lead us to beleive that the data is in California
Here in Canada we have at least one piece of case law (albeit not criminal) and some relevant search provision wording.
In eBay Canada Limited and eBay CS Vancouver Inc. vs The Minister of National Revenue (2008), the judge ruled that even though the data that was being requested was situated on servers in the US, eBay Canada had access to it on their computers in Canada, and therefore eBay Canada had to produce it.
Also, pretty much all the Canadian computer search and seizure provisions, either under the Criminal Code or any other act state that a person authorized by a warrant may search or seize any data "available to the computer system." This has been taken in some cases to include any data held in cloud environments as long as the user is logged on to the service at the time of the search.
Criminal Code of Canada section 487
(2.1) A person authorized under this section to search a computer system in a building or place for data may
(a) use or cause to be used any computer system at the building or place to search any data contained in or available to the computer system;