10 June, 2015
Digital data (including mobile, internet and cloud data) represents a virtual goldmine of potential evidence for law enforcement agencies. New technology allows law enforcement agencies to access internet and cloud data directly through individuals’ mobile devices (so-called ‘mobile forensics’). This e-bulletin explores the legal issues raised.
Historically, the means of accessing a person’s data stored in the cloud was most likely to be through:
(1) the consent or cooperation of the individual concerned or owner of the data (including in respect of workplace bring your own device policies);
(2) the mobile, internet or cloud provider, often following relevant legal procedures (search warrant or subpoena); or
(3) the Government of a country holding the data, utilising mutual legal assistance procedures.
Obtaining the consent of the data owner has been and remains the most direct and uncontroversial means of extracting data from mobile devices or the cloud, but practically, is of limited use where the individual concerned has not given consent or is uncooperative. Getting access through mobile, internet or cloud providers and governments is notoriously a lengthy and cumbersome process.
However, recent advances in data collection technology, means that users’ mobile phones, laptops or other devices can enable mobile, internet or cloud based content to be collected directly from those devices.
The new technology allows law enforcement agencies to access mobile, internet or cloud data without having to rely on the individuals concerned, or on the mobile, internet or cloud providers. However, it raises a number of legal and political issues. This e-bulletin explores some of those legal issues.
Questions Of Sovereignty
By its nature mobile, internet or cloud based data often transverses national boundaries.
Extracting data from a server hosted in a different jurisdiction has been the subject of two recent cases in the United States and Belgium.
Microsoft vs The United States
In December 2013, the US government served a search warrant on Microsoft under the US Stored Communications Act (SCA) for information located in the email account of a Microsoft customer whose target account was hosted in Ireland. The search warrant was held by the magistrate judge to be a “hybrid” – part search warrant subject to criminal procedure requirements and part subpoena which required Microsoft to produce “all information in its possession custody or control regardless of the location of that information”.
Microsoft asserted that the information was beyond the ambit of the search warrant as it was (1) stored in Ireland (outside the US jurisdiction); and (2) was the customer’s private information and not part of Microsoft’s business records.
The US federal court quashed Microsoft’s appeal finding that the information was under the control of Microsoft, and therefore subject to the “hybrid” search warrant. Microsoft is currently appealing the Federal Court’s decision and has indicated that it is willing to take the matter all the way to the Supreme Court. It has received wide support from other ISPs and the Irish Government.
Yahoo! In The Belgian Courts
The Belgian Court of Appeal of Antwerp in November 2013 convictedYahoo! for failing to disclose the identity of certain individuals who committed fraud via their Yahoo! email accounts. Under Belgian Criminal law, electronic communication services providers are obliged to disclose identification data to law enforcement agencies when requested.
Yahoo! refused, claiming that it was not subject to Belgian law as it was incorporated in the US and did not have a physical presence in Belgium. Instead, Yahoo! asserted that the Belgian prosecutor would have to make a request to the US via a Mutual Legal Assistance Treaty (“MLAT”). The Court of Appeal of Antwerp disagreed with Yahoo’sreasoning and held that Yahoo! was “virtually” located in Belgium given that it offered services in Belgium.
Does Direct Access To Data Raise Issues Of Extraterritoriality?
Query whether new technology can get around the extraterritoriality issues raised by the Microsoft and Yahoo! cases. With new technology, law enforcement officers would no longer need to engage mobile, internet or cloud providers, nor require that they provide data from another country.
Provided the officers have access to the individual’s mobile phone, they would have direct access to the data (irrespective of where the data is stored geographically). Indeed, when accessing data through the mobile phone, it may not be easily determinable where the information is “situated”.
As far as we know, courts have not yet had the opportunity to grapple with this particular issue; thus it is not clear how they will react. However, any final decision in Microsoft is likely to have a significant impact on the judicial treatment of data access by law enforcement agencies, and the extraterritorial scope of search warrants and subpoenas.
Should the decision be made in favour of disclosure, one can see a judge taking the view that a search warrant aimed at information directly accessible through a mobile phone situated in the jurisdiction is even less likely to raise “legitimate” extraterritorial concerns.
Public International Law Issues
The traditional approach of many jurisdictions is that data stored in one jurisdiction cannot be shared across jurisdictions unless a request is made under an MLAT or other international agreement between the relevant governments.
This is also the approach taken by the Convention on Cybercrime (CETS No 185, Budapest, 23 November 2001) which contains provisions aimed at cooperation between Signatory States in collecting and sharing electronic data stored in a Signatory State’s territory. It is noteworthy that the Convention which is an initiative of the Council of Europe has only been ratified by a handful of countries outside of the Council of Europe, including Japan and Australia in the APAC region.
Generally, the Convention provides that the mutual assistance route must be taken where data is stored outside the territory of the requesting state. There are two notable exceptions which provide that a Signatory may without the authority of the hosting country:
“(a) access publicly available (open source) stored computer data, regardless of where the data is located geographically; or
(b) access or receive, through a computer system in its territory, stored computer data located in another [Signatory], if the [Signatory] obtains the lawful and voluntary consent of the person who has the lawful authority to disclose the data to the [Signatory] through that computer system.” (Article 32) [emphasis added].
Whether the “person with lawful authority” includes a mobile, internet or cloud provider is a matter of judicial interpretation, and a point that is still being disputed by Microsoft. However, it is clear that the Convention (which has been the subject of intense political negotiations) does not envisage data being accessed in another jurisdiction without the consent of the individual concerned (or another lawfully authorised person) unless the MLAT route is chosen.
Data Protection And Privacy Issues
The identification of data protection or privacy issues is an important part of the process of digital evidence gathering, use, sharing and exchange. The main objective is to find the balance between efficient investigation and sufficient protection of any relevant individual’s privacy.
Data protection and privacy laws are not uniform across the globe, but most laws do allow the disclosure of personal data to law enforcement agencies usually in response to a search warrant. The issue is that often only local law enforcement agencies are exempted, including through the MLAT route.
A foreign law enforcement agency accessing data directly may cause organisations (including mobile, internet and cloud providers) to be in breach of local data protection and privacy laws.
Accessing a device without appropriate authorisation is also a criminal offence in many countries.
It is likely that countries with strict data protection or privacy laws will object to access of personal data in their jurisdiction without adhering to legal procedures. For example, following the magistrate’s decision inMicrosoft, the German Government stated that it would not use US cloud providers unless the decision in Microsoft was overturned.
Technology that enables direct extraction of mobile, internet or cloud based data, without the involvement of the individual concerned, may have a significant impact on investigators’ abilities to obtain data across jurisdictions without involving the mobile, internet or cloud provider or other person that has control over the data.
It could improve the ease of data extraction, as it effectively bypasses the individual, provider or any other third party who is likely to raise data privacy or sovereignty concerns. It would most certainly put them on the back foot, as they would have to take steps to assert rights of data privacy and confidentiality which may not be recognised in the relevant jurisdiction.
Such direct access may also meet opposition by mobile, internet or cloud providers and governments or international bodies.
On the other hand, in light of the decisions in Microsoft and Yahoo, it is conceivable that some courts may uphold the technology rather than protect the privacy of the individual or the sovereignty of the state hosting the data. If a law enforcement officer is given the right (through a search warrant) to access information on (or through) a suspect’s mobile phone, and there is no need to request that a third party transfer the information from another jurisdiction, then it is possible that a court may view the data as being intrinsic to the phone and therefore subject to the data collection request.
For further information, please contact:
Mark Robinson, Partner, Herbert Smith Freehills
Andrew Moir, Partner, Herbert Smith Freehills
Pamela Kisselbach, Herbert Smith Freehills