Panelists: Pamela Kiesselbach, Senior Consultant Corporate Crime & Investigations, Herbert Smith Freehills; Stephen Mason, Barrister; Jy Millis, Corporate Associate, Herbert Smith Freehills; Shahaf Rozanski, Director of Forensics Products, Cellebrite Ltd.
Shahaf Rozanski: Hi everyone! Our focus today is around obtaining evidence from the cloud, mainly from the legal aspect. We asked you a question before you joined the webinar, with respect to what kind of challenges you are facing with obtaining evidence from the cloud. You can see the results on your screen. Most of you addressed the legal challenge as one of the key elements, one of the key challenges. But you also mentioned the ability to access the data and the processes related to acquiring the information. So this is exactly what we are going to do over the course of the next 55 minutes. We’re going to do some big discussion around what’s cloud data, then we are going to drill into four main topics – about the legal foundation for obtaining cloud data as evidence, who is the owner of the data, what are the jurisdictions related to cloud-based data, and eventually we will discuss some of the best practices for forensic extraction from the cloud.
Feel free to ask questions; we want to have this debate as open as possible. I know that you have many questions, so this is the right time to ask our expert. We will take questions during the session, after each part of… each topic. And have fun with us, the same way that we are.
Good. So just to begin the discussion: What is cloud? And to put us all on the same perspective. So when we say cloud, and when we refer to cloud during the course of the next hour, it will be with respect to the data that is hosted by remote service providers like social media, Facebook, Twitter, webmail, storage services like Google and Dropbox, instant messaging, and even e-commerce.
Now, all of us that live on planet Earth are using cloud services, we are using social media. Some of the statistics you can find in front of you about that… it depends on the region, but let’s say between 25% to 50% of the users are active social media users. One of the most interesting points is that when people are using the cloud, they are using it from the mobile device, which raises a very interesting point, both with respect to the legal challenge of what you can do around the cloud and mobile altogether, and I am sure that we will touch some of those points later in this conversation today.
If standard people like you and me are using cloud, so by all means criminals are also using cloud, and therefore the importance of cloud to the law enforcement [industry] and also to resolve some legal crimes is becoming more and more important. If by 2010, based on a survey conducted by the International Association of Chiefs of Police, only 50% of the cases handled information from the cloud to solve the case. Now it’s about 80%, so four out of five cases is actually solved using some information from the cloud, which is [indecipherable] more and more important.
Another good reference for that is the amount of time that the police is spending looking into the cloud. So more than 50% is using or looking into the cloud – more than 50% of the investigators are looking more than two or three times a week during their investigation. This is information coming from Lexis Nexis, that is an aggregator of information of caseloads in the US. So cloud is very important both for the law enforcement industry but it’s also very important for the private sector, and I know we have some very prestigious [firms] from the private sector on our call today. So I am sure you will be able to learn more about cloud investigation in the private sector as well.
So now that we all know what we are going to talk about, let’s start addressing our first question, and it will be with respect to the legal foundation for obtaining and using cloud data as evidence. With respect to that, what are the legal bases and legal tools that are available? Is this data actually admissible and why? And Stephen, would you like to take the honor to address this first topic?
Stephen Mason: Thank you, Shahaf. In the next ten minutes or so, I’m going to look over five individual points. I’m not going to deal with all of them in detail, because we obviously have an audience of a mix of people who are interested from the criminal perspective and also, as Shahaf has reminded [us], the private sector as well. It’s primarily going to be talking about the criminal side, but nevertheless, I’ll make some observations regarding the private sector.
Some I’m going to deal with very briefly, and one in particular I will deal with in slightly more depth, and I hope you will understand the reason why once I go through it. So first of all, the legal basis. The legal basis on which an investigating authority can obtain data in the cloud – and this will be certainly the same for both private and criminal investigations – is consent. That’s the first point to make, because it’s quite surprising how many people actually will give consent for you to obtain data in the cloud. And that includes police forces as well.
Obviously, if you’re a police officer, you can obviously obtain that through search warrants or subpoena, but interestingly, you’ve got to know who to direct that to – either to the owner of the data, if there is such a thing, which we’ll discuss later, or the user, and also perhaps the cloud provider, which is the normal course of events. One mechanism of course of achieving that is through a mutual legal assistance treaty. I will touch upon that very briefly later.
So on to my second topic, which is the basis of the authority for obtaining a warrant, which most police officers across the globe [will need]. I can obviously only detail with a [reasonable] amount of accuracy with a position in England and Wales. If I explain this very briefly, I hope you will understand where some of the problems arise. The relevant act in the UK is the Police and Criminal Evidence Act of 1984 as subsequently amended over the years, and Section 19 gives a general power of seizure. This act, by the way, as with all legislation, is available online on the UK government website. I’m not going to go into precisely what Section 19 allows you to do, but the interesting thing and the most important thing are the powers that [the constables] have.
First rule, the [constable] must be on the premises lawfully, and they must also have a valid reason for wanting to obtain the data. Third question is what can they obtain? Well, Section 19-4 says that a constable may require any information which is stored in any electronic form and is accessible from the premises to produce in a form which can be taken away and which is visible and legible. So that means… ‘any form’ means it can be scanned images or hard disks; ‘accessible from the premises’ means the computer is connected to the internet or/and linked to a website; and of course being in a legible form covers encrypted data. So some of you may be aware that we also have our requirements, under the Regulation of Investigatory Powers Act, if an order is issued that somebody should give up their password to encrypted data.
Now, this section, Section 19, only deals with the data, not the physical item such as the computer, which is dealt with in Section 20. Now, the problem that arises from this is who can be compelled to produce the material? Is it the occupier? Is it the owner of the computer upon which the data is stored? Is it the ISP on whose [indecipherable] server the data is stored? Or is it all of them? Well, the answer actually will depend on the precise powers being used and the terms of any relevant statute that is being operated on.
So this just illustrates in a very, very quick, brief way the complexity of the issue. A second problem is that, certainly under the law of England and Wales, at one time, a constable might be exposed to a [civil action for trespass] against items that were seized and later shown to be exempt from seizure, which obviously is quite a difficult issue. This particular problem has been addressed by Sections 50, 51, and 52 of the Criminal Justice and Police Act 2001. And this, as a lot of you listening at the moment who are based in… the cyber crime convention signatories will know, is now covered by the Convention of Cyber Crime articles 19-2 and [22-1d], and in fact, the sections 50, 51, and 52 I mentioned now actually incorporate the convention of cyber crime into UK law.
So the Section 52 deals with property [found on] premises, and provides that when a person is lawfully on the premises and they find property they would have been entitled to seize, but it also includes something that he has no power to seize – so it could be, for instance, you are entitled to seize the data but not to seize the item, which could be a smartphone or computer – but it is not practical for two items to be separated, then you can seize the property – which is obviously quite an important issue. The rationale for this, especially with obtaining evidence which may be in another jurisdiction which is actually on a computer, is that the investigator is merely observing the fact that the server continues to do what it was caused to do by the accused. So if the accused is actually on a website which is illegal for some reason, and it continues to be on when the constable is in the room, then the constable has the right to continue with the activity. And this position remains so providing the investigator does not cause the server to do anything else. So the investigator must be passive.
Now, the continuity remains from the point in time the accused connected to the server to the point in time that the investigator seizes the computer. And of course providing the investigator does not give any instructions to the server, they do not alter the original function. And of course all the investigator is doing at this stage is storing the information that is being sent from the server to the computer. So that, certainly the position in the UK is now fairly well established.
So to go on now, the only problem is ownership is not always clear. But that, Jy is going to discuss later, and we may be asked to comment, so I won’t take any more time on that particular issue.
So regardless of physical location, you can still obtain the data. There is a Danish case in that respect which is reported in my journal. Regarding mutual legal assistance, which is my third point, I’m not going to say very much on this, other than: those of you who are listening who are involved in this area will know that some countries deal with [mutual legal aid and] assistance under a treaty very, very slowly. There can be quite a significant length of delay. Also though, from the party who is making the application, there can be a failure to make an appropriate application, and this actually is more significant and happens more frequently than people would like to admit. And also, there is a failure to fill out forms properly. This is certainly where, if you had an online form with specific boxes that have to be filled in, in a particular way, with particular information, would alleviate some of those stresses obviously.
I know one country, my own, England and Wales, the UK generally, we do have a member of the Crown Prosecution Service permanently positioned and located in Washington, DC in the United States, and they act as a liaison officer to obtain evidence from US organizations when asked to do so by the British police. That can obviously be a fairly expensive option, but nevertheless, it does work quite well apparently.
The fourth point I’m making is the admissibility of digital data as evidence. Now, having looked at well over 45 to 50 jurisdictions in detail through my books, and also editing my journal, I can say with a high degree of certainty that admissibility is not really an issue in most jurisdictions. There are some issues that arise in some jurisdictions, but they are peculiar to that particular jurisdiction, and no doubt if the United Nations or maybe Europe worked on a convention on electronic evidence, that might be resolved.
The fifth point, which I think is quite important in my last 90 seconds, is do we all understand the importance of data stored in a cloud? We do understand that. But are legal systems ready and able to accept, interpret, and apply it? And that is a very mixed bag, and I am sure most of the people listening to this will understand some jurisdictions are better at accepting and interpreting the data, and some jurisdictions are not. And this is where a great deal of more work needs to be done, especially in education of judges and lawyers, which is the main focus of what I’m trying to do in the last two or three years.
So with that, I’ll leave it at that, at my fifth point. But we have a sixth point which will neatly allow me to ask you to take over from me. Because we’ve got to obviously… I haven’t looked at the challenge of forensically preserving data, and there are several issues that arise from this obviously, such as what is forensic data preservation – some of our listeners obviously will know about that. Obviously, there’s a question about the process of repeatability for cloud evidence, and who uploaded the data, for instance, establishing who it is. So [Shahaf], with that, I’ll hand over to you.
Shahaf: Thank you, Stephen. And yes, definitely the forensic preservation of data is critical, and if we want to lay out the four main points that are relevant, that define forensic preservation, then I would say that are: not changing the evidence on the source; making sure that the data you preserve is authentic and is not manipulated; explaining the process that you took; and the ability to repeat the process.
And as you mentioned, Stephen, one of the challenges with the cloud, with cloud data, being volatile and constantly changing, is the ability to repeat the process. Because if you do a snapshot of the cloud this morning and you do a snapshot of the cloud later this afternoon, it probably will not look the same. People might change data, might add data. So the question of whether the repeatability is something that is necessarily a part of forensically preserving the data, it’s one of the challenges. One of the resolutions that I heard along the way is that first of all, we all need to understand that we are taking a snapshot. And if someone is defining the boundaries and assuming that no one is deleting data, then you can repeat a snapshot in the past using different tools.
So definitely repeatability is one of the challenges. Then, defending the authenticity of the data, which we will refer later in this session, and how you can make sure that… what are the best practices for forensic cloud preservation.
I would like to touch at this point some questions that some of our people had. So Stephen, one of the questions was: If you can explain what is the difference between a user and an owner? You mentioned that in the beginning of your section.
Stephen: Yes. If we just take your average heroin dealer, most will have five, six, or seven [mobile phones]. Some of them, they might deliberately borrow from other people for various purposes. They will try to make them all anonymous, for obvious reasons. So a dealer that has, let’s say, a girlfriend, or even a boyfriend, and might want to do something on their telephone, i.e. the girlfriend’s telephone, you have to distinguish between the user and the owner.
Now, a lot of people speak in very general terms, that when you record a telephone conversation for instance or you record the number of telephone conversations that are initiated and you have the recording of the actual telephone connected and what time they were connected, or the metadata, that it was the person who owned the telephone that made that call or is responsible for it – which is not correct. Because it is the device itself, or better still the chip inside, and the software in the device that is making connections, not necessarily the human being. You’ve got to actually connect the human being to the act. Some people will deliberately try to make that more difficult for the police to ascertain.
So there is a need sometimes to ascertain the owner and the user, and it’s particularly important obviously in civil proceedings, where you think that a theft has taken place of intellectual property from your organization, the organization will probably own the device, but not always. Because if you have a Bring Your Own Device policy, the employee might have information actually on their smartphone, their personal smartphone which belongs to the organization. So this is quite an important issue that should not be ignored.
Shahaf: Lovely. Thank you, Stephen, for that explanation. [Indecipherable] briefly looking from your insight in Singapore and the experience that you have with respect to legal foundation, anything you would like to share on this topic.
Pamela Kiesselbach: Yes, thank you, Shahaf. I think having listened to Stephen, we’ve obviously been looking at the basis on which law enforcement agencies… regulators [indecipherable] industries as well as the police, and maybe the authorities tend to have very broad or fairly broad powers to conduct dawn raids and to enforce search orders and search warrants, and to seize data. So we have been looking at to what extent they can get into the computers and seize computers, and those powers tend to be quite broad. I mean, for example, in China, there are not that detailed laws, and if you get a dawn raid basically, pretty much everything is up for grabs, so to speak.
Shahaf: Lovely. And thank you. I would like to move to our next topic, which is with the owner of the data and with respect to that, is it the individual itself, is it the cloud provider, is it the user of the data? What about metadata? Who is the owner of that? Jy, would you care to take the lead?
Jy Millis: Certainly. Thanks, Shahaf. So every time an individual logs in and uses the services provided by a cloud-based services provider, they are providing that provider with an enormous amount of data, in particular information about themselves, such as their names, phone numbers, and where they live, and in many cases, all the same information about all of their family and friends.
Now, all this information is what is commonly described as personal data, which, under many laws, usually includes information about an individual who can be identified from that information or from that information combined with some other information. On top of this, individuals provide cloud-based service providers with an enormous amount of underlying data, as Stephen described, about where they log in, what time they access their accounts and for how long, who they contact, and other such information.
In some cases, as demonstrated by a recent decision of the Australian Privacy Commissioner, this metadata may also be regarded as personal data. So then, given all this information being provided to cloud-based service providers, who owns that personal data? Under English law and the laws of many other jurisdictions, there are no property rights as such in personal data, and therefore it is somewhat incorrect to talk about who owns that information. Such information, such as my name, just is.
So instead, what we talk about is control, and who is able to control personal data. Now, ultimately, control of that data rests with the individual to whom it relates. However, when we sign up to a Hotmail or a Facebook or some such other, similar service, we give consent to the cloud-based service provider to collect, use, and disclose our personal data for a particular purpose. The consent we give will also reflect applicable laws and regulations about what the service providers must do in relation to personal data.
Most data protection laws give rights to individuals in relation to their [processing] of their data, and organizations that collect such data may have legal obligations to process it in a certain way, including limits on how it uses, holds, and transfers the data. Therefore, while we may retain ultimate control over our personal data, every time we sign up to a new web-based email account or something similar, we hand that control over to the relevant cloud-based provider, who is accountable to us for the use and protection of our data in line with the consent given when you sign up to their services.
What many of us may not consider when signing up to a new online service is what the cloud-based service provider then does with our information once it’s handed over. Now, while we all believe and have confidence that cloud-based service providers will protect the privacy of our information, their business models, as will be reflected in their terms and conditions that we agree to when we first use the services, means that they will regularly be shifted around the world, so that the personal data of someone sitting in Singapore, for example, may be hosted by a cloud-based service provider based in the United States on any of its servers across a number of countries and continents.
Now, this gives rise to a number of issues when law enforcement agencies wish to access such data in the context of an investigation. So first, let’s consider the scenario of the law enforcement agency in one country wanting to access information about an individual being hosted by a cloud-based provider in the same country. Although data protection and privacy laws are not uniform across the globe, most will allow the disclosure of personal data to law enforcement agencies where this is required for ensuring public safety and security. In most cases, such disclosure will be in response to a warrant or a subpoena or something similar. For example, under that EU directive on personal data, Article 13 provided such an exception that member states may adopt legislative measures to restrict the scope of the obligations of data controls and the rights of data subjects when necessary to safeguard national security, defense, public security, or the prevention, investigation, detection, and prosecution of criminal offences.
However, in most cases, it is only local law enforcement agencies that are allowed to obtain such personal data. For a foreign law enforcement agency to then access that personal data hosted in another country, it must go through the MLAT route as Stephen described or some such other mechanism whereby the host country agrees to the foreign enforcement agency undertaking investigations in its territory. Now, this reflects the fact that in most cases, even outside of the cloud context, a law enforcement agency cannot simply conduct an investigation, including interviewing witnesses or obtaining evidence, from abroad without the consent of the jurisdiction in which it wishes to conduct such investigation.
However, as Stephen noted, the MLAT process is criticized as being a bit too slow and unresponsive at times for [indecipherable] law enforcement investigations. A notable exception to going through this route exists under the cyber crime convention, which allows foreign law enforcement agencies to access information, if it is publicly available of course, or if they obtain the lawful and voluntary consent of the individual concerned. In addition to the MLAT route and access permitted under the Cybercrime Convention, a number of court judgments have upheld the right of law enforcement agencies to access data from cloud service providers even where that data is hosted outside the requesting state.
So in what is now quite a famous case involving Microsoft in the United States, US Federal Court allowed the US government to access the email account of a Microsoft customer whose account was in fact hosted in Ireland because that information was under the control of Microsoft, which is based in the US.
So what issues arise if a foreign law enforcement agency seeks to obtain personal data from the cloud when it is hosted outside that law enforcement agencies territory without it going through the MLAT route, without a court permitting such access, or without consent or if it’s publicly available?
First, if a foreign law enforcement agency directly access data outside of the MLAT route or without some other permission or consent, it may cause the cloud-based service provider from which the data is accessed to being in breach of local data protection and privacy laws. It is important to note here that in its opinion on cloud computing from 2012, the EU’s Article 29 data protection working party stated that it’s of the utmost importance that in the data protection regulation, which is now being finalized and negotiated, it be made clear that data controls operating in the EU be prohibited from disclosing personal data to a third country if so requested by that country’s judicial or administrative authorities, unless this is expressly authorized by an international agreement or provided for by the MLAT, which would therefore give some legal certainty for the individuals whose personal data are stored in data centers all over the world.
It is likely that countries with very strict data protection and privacy laws will object to the access of personal data that is hosted in their jurisdiction without the party seeking such access adhering to and complying with local legal procedures. In addition, accessing a device or a network without appropriate authorization is in many countries a criminal offence. For example, in Singapore, where I am sitting, the Computer Misuse and Cyber Security Act makes it a criminal offence to cause a computer to perform any function for the purpose of securing access without authority to any data held in any computer. This law has extra-territorial effects, so that it applies within and outside Singapore as long as the relevant computer or data is located within Singapore.
While such laws are aimed primarily at preventing, detecting, and countering cyber attacks, it is clear they may also apply in the case of law enforcement agencies accessing data in the cloud without consent. So with that in mind, there is clearly an inherent opposition between law enforcement agencies having unfettered access to data for the purposes of conducting lawful investigations wherever it may be located on one hand, and this fundamental right in many countries to privacy and protection of personal data. In the wake of the revelations by Edward Snowden and through WikiLeaks about the widespread collection of data, including personal data, by many countries, it is more, not less likely, that governments will be keen to ensure that foreign governments do not access data hosted in their territory without going through a proper legal process reflecting the sentiments expressed by the Article 29 Working Party even if this means foreign law enforcement agencies cannot readily access such information for otherwise legitimate purposes of criminal investigations.
On the other hand, it is conceivable that some courts may support law enforcement agencies to use technology that enables direct extraction of cloud-based data rather than protecting the privacy of the individual in all circumstances or the sovereignty of the state in which the data is hosted. If a law enforcement agency is given the right through a search warrant to access information on or through a suspect’s device, it is possible that a court may view that data, wherever it may actually be hosted, as being intrinsic to the phone, and therefore subject to a legitimate data access request.
Shahaf: Lovely. That’s extremely interesting. The [points about owning] the data and where the data actually resides, and what’s the jurisdiction around it [indecipherable] [this is a] direct connection to our next topic, which is what are the jurisdictional restrictions for cloud-based data? [Which jurisdiction is determined] – Jy touched upon that, and it is based on the location of the data, the user or the provider itself. Pamela, would you like to continue the discussion in that direction please?
Pamela: Yeah, absolutely. Thanks, Shahaf. Jurisdiction is a very interesting question, and particularly [indecipherable] if a law enforcement agency, whether it’s the police or the anti-competition agency or those who are looking at corruption, they will want to obviously seize information and further investigation, and query whether they have the jurisdiction or the right and the power to seize certain information, and on what basis do they have that power. Now, obviously, Stephen talked about the legal basis. But very often, in order to maybe serve a search warrant or to actually go in and seize documents, you have to have jurisdiction. The question is on what basis do law enforcement agencies or courts [indecipherable] making the orders or the search warrants have jurisdiction?
And usually, jurisdiction is based on a nexus – there has to be some sufficient nexus between the country which is ordering or the law enforcement agency within which country the acts are happening and the data. So number one, if the data is obviously situated in a certain country, let’s say in Singapore, then the law enforcement agencies are likely to have jurisdiction over that data, and can seize that data. So that’s fairly easy.
If the data owner is within the jurisdiction, then you can obviously serve a subpoena or a search warrant on the data or owner, and can establish jurisdiction even if the data owner might be hosting the data somewhere outside the jurisdiction. So that’s a way of asserting jurisdiction.
If the cloud service provider… and I think Jy also mentioned the Microsoft case. Microsoft is a US company. There, the US court served a search warrant on Microsoft based on the fact that the cloud service provider was incorporated was incorporated, was doing business in that country. So that’s a way of asserting jurisdiction. The fact that the documents were hosted in Ireland was, as far as the US courts were concerned, neither here nor there. It was sufficient that Microsoft, the cloud service provider, was in the US. That’s obviously a case that is now working its way through a number of appeals. So it waits to be seen whether that stands up.
Other bases on which one could possibly assert jurisdiction is if the criminal offence took place within the jurisdiction. That’s slightly trickier, because yes, you have the jurisdiction to investigate the offence, but do you have jurisdiction over data that might be outside the jurisdiction? But that might again be a nexus, and I think the case that Stephen referred to, the Danish case, very much was based on the fact that the tort happened in Denmark, and there was a feeling that one could then seize data that was outside Denmark via computers.
Maybe where the data is created – that might also be a nexus. If the data was created by someone within the jurisdiction, that might be something that would compel courts to say yes, the law enforcement agencies can seize that data.
So you have to look for a nexus. Some are stronger, some are weaker, some are nexuses that have been recognized as establishing jurisdiction, and some might be a bit more tenuous.
So that’s a bit about jurisdiction. Shahaf, I think one other thing that we wanted to talk about is whether one could look at the logical presence of a service provider, is that right?
Shahaf: Yeah. Yeah, exactly. Whether… and I think it’s very much like the Danish case, I think, that Stephen mentioned, and whether the fact that the service provider resides in your country – let’s say that Facebook resides in Singapore – does it mean anything in terms of jurisdiction?
Pamela: I think this is again an interesting one, because for example, let’s take Yahoo! or… there is a Belgian case, Yahoo!, which is I think pretty much on point, where Yahoo! is… I think I’m right in saying that they’re established in the US. But they obviously direct their services all over the world. And the Belgian court says, “We’re going to serve a summons on you to reveal the identity of one of your users,” and Yahoo! said, “You don’t have jurisdiction over us. We’re in the US. If you want anything from us, any information from us, you have to go through the MLAT route.” And the Belgian court says, “No, no, you are virtually present in Belgium because you are directing services to Belgium.”
Because in order to, in any way, serve an order on someone, you have to have jurisdiction over that company or individual. And that usually is the case if that company or individual is incorporated or doing business in your jurisdiction. The virtual presence is, again, an interesting one, because there are rules definitely in civil proceedings, under, for example, the Brussels regulation, which allows courts to take jurisdiction over companies which are directing their e-commerce into a certain country. So if it’s Amazon, situated in the US, and they’re selling things into Germany, on a German website, it’s in German, then they are subject to the jurisdiction of the German courts because they have decided to direct their services into that country.
So there definitely is a precedent of virtual presence. [Clearly] whether one can also use that in the criminal context… because the very, I think, importance… the difference between civil proceedings and criminal proceedings, that countries tend to be a bit more sensitive about law enforcement agencies which are state agencies, state governed or controlled operations, to start seizing documents which are outside their territory. That’s why search warrants tend to be restricted to the territory of the country. It’s a question of the sovereignty of the country. In civil court proceedings, you have private parties, they’re having a dispute, and they are required to provide information via court orders. They will then more or less voluntarily provide that information. But it’s not a state power going into another country and seizing documents. And that’s why I think it’s a bit more difficult to use those with civil proceedings-related examples which allow jurisdiction over someone who’s virtually present in a criminal context.
So I think Shahaf, you mentioned when we were talking about the webinar a very interesting little scenario where you said let’s assume someone is bullying or insulting a Singapore citizen on Facebook, it’s all happening in Singapore basically, to Singaporean citizens. So there’s a tort, there’s a crime happening in Singapore. Why should one apply US law simply on the basis that Facebook is situated in the US and might be holding the information on a US server or… definitely a server outside Singapore.
And I think the answer to that one is you’ve got to look at the difference between where is the crime committed – and obviously, the Singapore law will determine is there a crime and can we prosecute that crime – and where is the evidence situated. And if you want to start seizing evidence that is outside the Singaporean jurisdiction, you wouldn’t… you usually use the [indecipherable] so the law of the place where the data or the evidence is situated. And this is obviously a huge challenge in relation to cloud, because very often, people don’t know or don’t care where the documents or the data is situated. Now, the computer in Singapore, they can access the information, and for all intents and purposes, the information is in Singapore. The fact that it happens to be stored on a computer in the US or in China or in Russia is something that’s pretty much hidden and almost… it’s not something intentional – the cloud providers will move the documents or the data around depending on where they’ve got some space, some storage space.
So you can see courts possibly taking the view: well, if you can access the information through a device in the country, and as Jy said, then that data within our jurisdiction. And I know that, for example, the European Competition Commission, they do take that view. If you can access it easily on a day-to-day basis from a computer within Europe, then it doesn’t matter that the data happens to be hosted in the US. It can be seized by the European Competition Commission.
So the cloud and the internet is throwing up a lot of issues which I think the courts are having to grapple with based on laws that were written before the cloud existed.
Shahaf: Yeah, I agree. The more I personally hear about it and the more I talk with you about it, the more I find it more fascinating. And also it’s a big headache trying to deal with that, but there are so many variations around the jurisdiction, and how it’s determined, and the ownership of the data. Stephen, anything you would like to mention with respect to the jurisdiction?
Stephen: Yes, thanks very much. Pamela mentioned the Yahoo! case. The Yahoo! case now has gone through I think six judgments. I have published each judgment in a translation into English in my journal, so it’s just a matter of downloading them off the internet for free. A seventh judgment has yet to be made. So there is no definitive answer to the Yahoo! case yet. And interestingly, my editor in Belgium in May this year informed me that another case very similar to the Yahoo! case has been launched against Skype in Belgium. In essence, the argument by Yahoo! was, “Look, we do not have offices in Belgium, we have no physical presence in Belgium, therefore Belgian law doesn’t apply to us.” And both the prosecutor, who I know very well, and also the investigating magistrate, who I also know, are both opposed to that position, and they are quite rigorous in trying to establish that the seven email accounts they want Yahoo! to give up to them should be done so under Belgian law, regardless of the fact that Yahoo! has a physical presence in Belgium – which illustrates the point neatly I think.
Shahaf: Indeed. Thank you for sharing that additional info. As I mentioned in the beginning, we have the experts here, they are up to date with the [indecipherable] cases, so I do suggest to the rest of the audience to keep tracking Pamela, Jy, and Stephen, [indecipherable] learn every time something new.
The last topic that we wanted to discuss is more… it’s less around legal, it’s more around the processes and the methods for acquiring data, and what are the best practices for forensic cloud extraction, and [indecipherable] on this topic. So I mentioned some of the [indecipherable] data preservation, but looking into forensic cloud extraction, the first thing that I would say, and I think this is part of the reason that we at Cellebrite thought it would be useful to have this panel over to discuss the legalities, to make sure you get legal authority to gain access into the cloud in your country. And you’ve heard the different methods and different ways to look into that, and each interpret it a little bit differently.
Once you get the legal authority, then it’s a question about getting the relevant data in the right time. So some of the challenges with respect the current legal system and the way that it needs to apply specifically… if you need to go through [indecipherable] processes, how much it is taking you to get the information from the cloud. With some of the people that we have discussed around the world, this task can take a few months to a year, especially if you do not reside in the same country as the cloud provider.
And this gives you a question, is whether this information would be actually valuable for you for the time of the investigation. And as we’ve seen in most of the cases, cloud information is very important, so you need to find out the ways and the tools to provide you with the information in the right timing, again working under the legal authority – which also relates to the fact that when you do the forensic extraction of the data, you want to be sure that you comply with that legal authority, both in terms of the time frame that this legal authority suggests, but also in terms of the amount of data that can be produced.
The third point related to the forensic extraction is with respect to data authenticity. So when you… Cellebrite is producing a software and the hardware for extracting information from mobile device and then analyzing that. So when you have the mobile device or when you have the PC, this is very easy, because you have the evidence in your hand and you know where is the data, and it’s very easy to correlate the data to the device itself. But what happens when the data is in the cloud? How do you correlate that data to somewhere that you don’t know where it is? Not to mention that it might be stored on [indecipherable] server with [indecipherable] copies.
So you need to be sure that when you are applying processes to acquire the data from the cloud, you want to be sure that data is obtained yet you want to make sure that you are containing the data in some kind of format that you know will not change across time. You want to make sure that you collect some metadata around this data so you will be able to cross-correlate with other sources, and obviously, you will always want to be sure that you are making the right validation to whatever tool that you are using, even if it’s a manual tool that… basically go into Facebook website and pull out information from there. So eventually you want to be sure that what you are using is something that you can stand behind.
The fourth point with respect to the best practices would be traceability. So you want to be sure that you document everything that you are doing, and you will be able to, if not reproduce the same process, you would like to be able to at least show what are the methods and what are the steps that you have taken across the way in order to achieve that data. This is very important for you, this is… I know that for some of our law enforcement customers, this takes most of their time, and therefore you want to be sure that if you are using tools for that, you would want to be sure that those tools are actually doing some of the recommendations for themselves, so you can use that and then use it in court.
With that sense, I just want to touch a little bit about technology. I know that some of you had questions around that. So briefly discussing in a high level what kind of methods you have today in order to gain access into the cloud. And this is a side of going to the service provider and asking for the information. So basically… and obviously, again, I am saying everything under the assumption that you got your legal authority to gain access into the cloud, and you are not obviously making anything illegal. And again, I hope that the last hour conversation was useful for you to understand what kind of things you can do again, you can apply and you can work with.
So with respect to the kind of solutions, first of all, you can obviously go and manually browse through the web interface of the cloud provider and start pulling information. Again, you need to be sure that you are tracking every step of the process, and you want to be sure that the data that you are capturing is eventually forensically preserved, so no one can say, “Hey, you are the one that implemented that picture on that specific website.”
For those reasons you know… and we at Cellebrite came with the tool that we call UFED Cloud Analyzer, that basically allows you that kind of capturing of private cloud data in the cloud. I will not go too much into this tool. I will just mention that Cloud Analyzer again, working under the right certain legal authorities, will enable you instant access into cloud data. This is with a username and password or utilizing information that was on the mobile that allows you the key to access the information in the cloud. For those of you that want further information about it, we will conduct a webinar in a couple of weeks specifically about the technology, so you can further reference that information.
With that being said, quickly Jy, Pamela, Stephen, any final words as we are approaching the last couple of minutes of our discussion?
Stephen: I have a final one, which hopefully both Jy and Pamela might agree with. [Indecipherable] comments very briefly – when it comes to private investigations, i.e. non-criminal investigations, one of the issues that always arose when I started in this area some 10, 15 years ago was whether or not you should forensically image computers for civil proceedings. And that’s a very difficult question to answer, because it depends on whether or not the data is going to be challenged, the authenticity of the data is going to be challenged in due course. And so your court, as a civil organization with the impossible position of establishing the authenticity of the evidence, if you haven’t obtained it in the way that you do it, for instance, the company, but if you do it properly in the way that the police do, then that of course is quite an expensive experience.
Shahaf: For all of our participants around the world, thank you again so much for joining us this morning, afternoon, evening, depending on your area. I learned a lot this session, I hope it was as useful for you as it was for me. Special thanks Pamela, Jy, Stephen. I take my hat off for the great session that we have today. Thank you so much, and I hope to speak with all of you soon, whether in person or over a webinar.
End of Transcript