U.S. DOJ: The Cloud Provides No Legal Cover for Criminals

Grazed from eSecurity Planet.   Author: Sean Michael Kerner.

The Cloud is a model for computing that provides new opportunities for consumers, businesses — and yes, even criminals. As a result, one question that has emerged is: What is the reach of U.S. law enforcement agencies into the cloud, and to what extent are they able to operate in jurisdictions around the world?

In a conference call with press on the subject of Cloud Computing and Data Privacy, U.S. Deputy Assistant Attorney General Bruce Swartz addressed a number of myths about the cloud and how existing laws pertain to it. Swartz noted that there seems to be some controversy about the ability of U.S. law enforcement agencies to access information in the cloud.

"There is a myth that the advent of cloud computing changes everything or has somehow presented us with new problems that we haven’t had before," Swartz said. "In fact, while cloud has some important advantages for consumers and others, it doesn’t present any issues that have not always been present as long as there have been Internet service issues."…

Swartz added that multi-jurisdiction issues with regard to information that is online pre-date the term "cloud." Law enforcement has had to deal with issues of content stored in one country that may have been generated in another country for the entire history of the Internet. The way that the U.S and other countries around the world deal with such Internet content jurisdiction issues was actually formalized a decade ago.

"It’s important to recognize that the framework for resolving conflict in the law enforcement context was established long ago as the Budapest Cybercrime Conventions which dates back to 2001," Swartz said. "That convention spells out a framework for access by law enforcement to computer data stored within a particular country."

Swartz explained that the convention obligates each country to have legislation which enables authorities to compel production, from any person or corporation in its territory, of computer data that is stored in that country, that is within the control of the person or entity.

While the Budapest Convention lays out the framework, Swartz admitted that there can occasionally be issues about whether or not a company within the territory of a state, can be compelled to produce evidence that is stored outside of that country.

"That is not a new problem, it’s a question that pre-dates the cloud and the Internet itself," Swartz said. "It has been around as long as entities have stored records in one country and have been present in another."

Swartz added that the question of what power a country has to compel production of those documents has been one that law enforcement has long dealt with and the U.S and others governments have a legal framework for dealing with it.

The other myth about U.S. law enforcement in the cloud that Swartz addressed revolves around the impact of the Patriot Act. Enacted in response to the 9/11 terrorist attacks, the law gives U.S law enforcement broader powers to gather intelligence. Swartz noted that the Patriot Act rationalized existing laws about surveillance, but it didn’t work a fundamental change to the issues of stored data. He stressed that the Patriot Act does not affect the Cloud for law enforcement purposes.

"Law enforcement in the U.S, the EU, and around the world have worked out a system through treaties, memorandum of understanding and through their own domestic laws to ensure that we can share information and obtain information from each other and do so while protecting privacy," Swartz said.