(No.172) Cloudy Jurisdiction: Addressing the thirst for Cloud Data in Domestic Legeal Processes

Go to Report
Status: 
Accepted
Workshop Theme: 
Security, Openness and Privacy
Theme Question: 

Question 1, 4 and 5

Concise Description of Workshop: 

The use of cloud services is rising globally. Cloud computing and storage are uniquely tailored to take full advantage of our increasingly networked environment. However, a move to the cloud also entails tangible challenges as vast repositories of information once kept within the sacrosanct safety of the home computer are placed on a remote server in the control of a third party. While the protections of home storage and processing can be replicated in the cloud, legal norms have been slow to adopt. Jurisdiction, the classic internet governance question, is raised in particularly stark contrast in the move to the cloud, as placing user data can subject that data to the legal access laws of any (or even many) jurisdictions in the world.

While there are indicators that such data is being accessed at increasing and alarming rates, globally, yet even the dimensions of the problem remain obscure. What is needed is a set of shared international norms relating to transparency, data sovereignty and lawful access to private information. In recent years, however, International forums have appeared much more eager to adopt international standards for data access (be it to combat cybercrime, secure critical infrastructure, or help intellectual property holders uncover alleged infringers of their rights) than for data sovereignty. Standards need to be developed that will provide a basis for the special challenges to cross-jurisdictional privacy that the move to the cloud highlights. This panel will examine the need for such a cross-jurisdictional framework, what one might look like, and, importantly, how one might bring such a framework about where the issue appears to be a low priority for many national governments.

Agenda
The objective of this panel is to attempt to resolve some of the trans-border threats to civil liberties that are posed by the move to the cloud. If a baseline of privacy protection can be assured at the international level, concerns over limiting data flows on the basis of jurisdiction will be alleviated. This panel will be divided into two parts. The first part will discuss some of the challenges raised by the cloud environment for traditional civil liberties paradigms. The discussion in part two will be solution-driven—what rules can be put in place at the international level to alleviate the heightened risk to privacy and other civil liberties raised by a cloud-centric model.

Part 1: Cloud-based threats to cross-border civil liberties (45 mins)
This part will discuss some of the challenges to civil liberties arising from a cross-border cloud-based environment. The panel will be further sub-divided into 25-30 minutes of panelist input, followed by 15-20 minutes of general discussion. Panelists will be asked to spend 3-5 minutes highlighting what they view as the most pressing of these challenges may be.

This might include specific recurring problems that have arisen in many comparable online contexts, as they relate to the cloud such as, for example:

  • legal obligations to build in intercept capacity into Internet services (compare CALEA 2.0 efforts in US, Lawful Access in Canada, and domestic server obligations such as those imposed on RIM by India and others in order to facilitate access to data that is encrypted in transit).
  • Concerns that many legal regimes permit voluntary conduct without adequate safeguards for political pressure on companies, particularly smaller businesses, to comply with requests.
  • Inability to challenge surveillance laws because the programs are shrouded in secrecy, because individuals are never made aware they have been surveilled, because of standing issues, etc.
  • Ability for ‘one-stop access’: cloud centralizes mass amounts of data in one place. This concentration as well as a general erosion of traditional criteria designed to ensure surveillance is targeted in a way that impacts minimally on the general populace.
  • Nascent suggestions of informal information sharing arrangements through MLATs and less transparent more informal arrangements.

Part 2: Adopting protections at the International level (45 mins.)
The discussion in Part 2 will focus on how some of these problems can be addressed at the international level by adoption of a set of principled protections designed to meet the realities of online and specifically cloud services. The focus is on problem resolution.

Format for Part 2 will mirror that of Part 1. Panelists will be provided with 3-5 minutes each and asked to present their views on one or two solutions that can be adopted at the international level to the problems presented in part 1. The remainder (20-25 minutes) will be dedicated to general discussion.

It is hoped that the discussion will explore specific protections that might be adopted at the international level, how to advance those solutions, and what strategies can generally advance these objectives, on the advocacy front, by use of transparency tools to increase awareness of some of the issues.

Questions to think about:

  1. Historically, interception of communications received the strongest protection at law, but it relied to a great extent on the act of interception coinciding with the communication itself. Should we be expanding this to other means of communications?
  2. Do we have effective mechanisms to immunize private organizations from political pressure to voluntarily share information? Particularly, a lot of small companies can now have a lot of information. Are they well equipped to resist political pressure
  3. Does the content/traffic data distinction still hold? Do we need a new framework for analysing the types of data produced as a natural byproduct of our online activities?
  4. Can the MLAT regime form the basis for ensuring fundamental rights are respected in legitimate cross-border surveillance activities? If so, what would it take to have it reflect a baseline of protections?
  5. Is it feasible to develop and formally adopt detailed limitations on state access at the international or regional level?
  6. Is cloud-based info susceptible to unauthorized state access in new ways? Is this something the law can fix (mandate encryption in storage or other safeguards)? Social engineering concerns?

Background Reading:

Organiser(s) Name: 
  • Katitza Rodriguez, International Rights Director, Electronic Frontier Foundation (Peru)
  • Tamir Israel, Staff Lawyer, Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic (CIPPIC), University of Ottawa (Canada)
Submitted Workshop Panelists: 

Chair: Katitza Rodriguez, International Rights Director, Electronic Frontier Foundation; (US/Peru) (Civil Society) / Confirmed

  • Ian Brown, Senior Research Fellow, Oxford Internet Institute (EU) (Academic) / Confirmed
  • Bertrand de la Chapelle, Program Director at International Diplomatic Academy (EU) (Civil Society) / Confirmed
  • Marc Crandall, Global Compliance, Google (US) (Private Sector)
  • Elonnai Hickok, Policy Associate, Centre for Internet & Society (India) (Civil Society) /Confirmed
  • Sophie Kwasny, Head of Data Protection Unit, Data Protection & Cybercrime Division, Council of Europe (IGO) / Confirmed
  • Bruce Schneier, Chief Security Technology Officer of BT (US) (Private Sector) / Confirmed
  • Wendy Seltzer, Policy Counsel, W3C (US) (Technical Community) / Confirmed
Name of Remote Moderator(s): 
Paul Muchene, iHub Nairobi (Kenya) (Private Sector)
Gender Report Card
Please estimate the overall number of women participants present at the session: 
About half of the participants were women
To what extent did the session discuss gender equality and/or women's empowerment?: 
It was not seen as related to the session theme and was not raised
Please include any comments or recommendations you have on how to improve the inclusion of issues related to gender equality and: 

This is a great initiative. While gender issues were not directly implicated by our topic, we will seek ways to include a gender angle in future panels, even where it is not directly implicated.

Report
Reported by: 
Tamir Israel
A brief substantive summary and the main issues that were raised: 

A PDF of this Report is available at: https://www.eff.org/document/cloudy-jurisdiction-addressing-thirst-cloud-data-domestic-legal-processes
The objective of this panel was to discuss the means by which privacy protection can be assured in an environment that exists in many jurisdictions at once and, hence, is subject to legal access by a wide variety of state entities. The panel was divided into two parts, the first focused on highlighting challenges to surveillance problems posed by the cloud, while the second focused on solutions. The hope was to adopt a practical, problem-solving attitude to these issues.
Part I: Privacy Challenges in the Cloud
Many lines are blurring in a manner that confounds traditional privacy protections while exposing increasing amounts of data.

  • The Jurisdictional Challenge. While the Internet is technically borderless, in reality, state actors impose their sovereignty onto online environments with increasing frequency. The operating of sovereignty over shared spaces can subject individuals to the laws of another country without any realization of having done so. This in effect transforms the surveillance efforts of one country into privacy risks for all the world’s citizens, as an interconnected network places their personal data at the whims of many states. The cloud, which by its nature exists in multiple jurisdictions at once, exacerbates these jurisdictional problems which are generally inherent in online interactions.
  • Lawful Intercept.Governments appear to be in a race to outdo each other in terms of increasing surveillance capacity. Legislative efforts focus on Internet intermediaries and aim to maximize intercept capability and mandate retention of transactional data. The latter, in particular, is problematic as ‘transactional’ data is presumed to be less private. In reality, however, online transactional data can provide a very rich and broad picture individuals lives, activities and preferences. Yet on the basis of a false ‘content/metadata’ dichotomy, states do not offer this type of transactional data the same level of protection as is offered to ‘real’ content. As activities move to the cloud this becomes increasingly problematic, as each cloud interaction generates its additional metadata.
  • Voluntary Lawful Assistance. The move to the cloud places a significant amount of personal data in the hands of third party entities – data that historically resided on the home computer now sits on a company’s servers. At the same time, companies are increasingly facing political and legal pressures to assist governments in their surveillance efforts. Internet intermediaries can be pressured to domestically locate servers in order to bypass in-transit encryption or to hand over personal information of their customers upon request. There is minimal oversight over such voluntary cooperation, and, hence, its scope is not well-documented. The problem is worse in some developing countries, where there are minimal incentives for online intermediaries to fight government pressures and potentially rigorous penalties for not doing so.
  • Updated Surveillance Powers Meet Antiquated Privacy Protections. Absent a few exceptions (such as encryption of communications), governments are in a rush to update surveillance laws. At the same time, they do not seem to approach the need to update privacy protections with equal determination and zeal. Many legal regimes intended to safeguard privacy against the state’s overriding interest in surveilling its citizens are premised on space-based distinctions that simply do not apply in an online/cloud environment. Government surveillance regimes treat the same data that was once stored at home with far less respect simply because it is in the ‘cloud’. Nor have privacy laws evolved to account for the increasing comprehensiveness with which it is now possible to monitor information such as real-time location, contact networks and other types of information. This lack of interest in updating privacy and due process protections occurs in spite of the fact that there are many benefits to ensuring such protections are in place. Some service providers may, for example, wish to avoid jurisdictions which impose heavy-handed and costly surveillance obligations altogether.
  • Lost Individual Control. Another feature of evolving data ecosystem is that individuals have increasingly lower levels of control over their data. This has legal and technical implications. Legally, it challenges privacy norms that closely link protection with ongoing control over access to data. Technically, individuals are prevented from safeguarding their data with encryption and other techniques, or even from understanding how or to what extent their data is being secured by the third parties who control it. These two sets of implications combine to pose a serious threat to privacy as individual data is increasingly vulnerable on both a technical and legal basis. Worse – lawmakers seek to obligate technology to develop in a manner that facilitates greater surveillance, often minimal understanding of the broader technical and social implications.
  • Intelligence vs. Law Enforcement. It is becoming increasingly difficult to separate intelligence efforts from law enforcement. Most of our privacy protections are most effective in a law enforcement context, but the line between the two is blurring. The increasing availability of ‘public’ data is a further challenge. It permits law enforcement to sweep up immense amounts of data and undertake forward-looking analysis, whereas our legal system seeks to check law enforcement powers primarily by preventing access to data expected to be private. No reasonable expectations apply to public data.
  • Difficulty Establishing User Trust. Cloud-based companies attempt to take steps to safeguard customer data. These range from adopting security standards, to challenging legal data requests. However, while some mechanisms have developed to certify some of these safeguards in the enterprise context, it remains a challenge to convey these efforts to individual users. While there are legal limits to what providers can do in terms of protecting against state access, many cloud providers recognize the need to take these steps to secure customer trust. This is particularly important when asking people to invest their data in a new ecosystem such as that represented by cloud computing.
  • Data Minimization is Strained. In this context, data minimization is strained in its attempt to limit state surveillance. The nature and utility of the online tools in question envisions users storing their data in the hands of another. Indeed, they should be able to do so – they should be able to trust online services – without needing to worry about exposing themselves to state surveillance.
  • Need Security and Privacy. The real challenge is to facilitate legitimate and necessary security investigations while ensuring privacy protections. Security faces challenges as well in technological ecosystems, where encryption and anonymity are sometimes easier to achieve. It would be helpful to better integrate security and privacy policy-making. The challenge is that the balance we have established over centuries in the brick and mortar context is not easily grafted onto cyberspace.
Conclusions and further comments: 

Part II: How do we Secure Privacy in a Transborder Cloud?

  • New Governance Norms. New legal and extra-legal paradigms that are tailored to the rapidly evolving online environment must be developed. Outdated laws must be updated so Courts can play their role in securing civil liberties, but more flexible approaches should be explored. Cooperative mechanisms that bring together representatives of responsible governments from over the world, platform operators and civil society and give them the capacity to monitor what surveillance is happening on an ongoing basis. However, it is not clear whether this type of multi-stakeholder auditing is enough on its own. While policymakers are often disproportionately susceptible to intelligence/law enforcement voices, and courts and legislatures struggle with the technical impacts of their policies and typically show up retroactively to clean up the mess, these institutions still have an important role to play in ensuring surveillance remains proportional and legitimate.
  • Multi-Lateral Treaties & Governance Instruments. The use of regional or multi-lateral agreements might form a preferable basis for instilling some control over transborder access to cloud data. Mechanisms such as MLATs can be used to place restrictions on surveillance mechanisms. The Council of Europe’s Cybercrime Convention, if bolstered with more robust human rights protections, can provide a legal framework that states can rely upon as a substitute for the application of political pressure to share information directly to private companies. Private parties are not well-placed to assess the legality or legitimacy of data requests. Often, they are not even given sufficient information to attempt such assessments. In this sense, strong legal protections and objective mechanisms for ensuring compliance are not only necessary, but once in place,
  • Transparency. Transparency must be approached in a balanced manner. User notification is important, but should not be undertaken in a way that prematurely exposes and, hence, undermines legitimate investigations. Aggregate transparency, however, has no capacity to threaten an investigation and is necessary for informed policy making, and so that individuals can understand how their data is at risk from state access.
  • Cross-Pollination of Stakeholders. It would be useful for businesses to increase hiring trends from civil society and law enforcement and for governments to increase hiring from civil society and from business. Additionally, more multi-stakeholder dialogue is useful to reach a common understanding of the issues and challenges involved.
  • Technologically Informed & Neutral Policies. It is critical to ensure laws and practices are not technology specific but, at the same time, they need to be greatly informed by a thorough understanding of their broader technical implications.