Legal challenges in cloud forensics and cross-border criminal and counterterrorism investigations

20 Dec 2017 09:00h - 10:00h

Event report

[Read more session reports and live updates from the 12th Internet Governance Forum]

Moderator of the session, Mr Pace Frank, University of Groningen, invited the panelists to elaborate on their experiences in dealing with cyber law enforcement.

Mr Jan Ellerman, senior specialist in the European Union Agency for Law Enforcement Cooperation (EUROPOL) Data Protection Office, explained that the debate on security versus privacy as a common theme is misplaced. ‘In order to do it right, we need to increase both’, he said. Ellerman noted concerns on the start of Internet censorship in European police offices and believes that transparency issues need to be addressed more. EUROPOL aspires to have a robust data protection regime, but not without a public debate. In his view, anyone can help prevent propaganda online that spreads violence. The dangers posed by the dark web were mentioned, but remain without clear resolving tactics.

Giving an American perspective, Mr Chris Kelly, director of the Digital Evidence Laboratory for the Massachusetts Attorney General’s Office, explained two cases with potential global impact. Carpenter vs. US asks how much surveillance is too much and if third party providers have to give out information. It establishes the type of order necessary for law enforcement to enhance what they can do by tracking somebody using technology. The Microsoft Dublin matter questions whether the federal US store communications act allows for extra-territorial application of search warrants. The main challenge, according to Kelly, is balancing different privacy and security interests, and these cases will have an impact on international cross-border data sharing.

Mr Kenneth Pennington, superintendent at Police Service of Northern Ireland (PSNI), spoke from the perspective on the ground. These are not issues of ‘security versus privacy, but of rights versus rights’, Pennington said. The balance between the suspect’s and victim’s rights is challenging. Law enforcement cannot work without legal authorities, and there is necessity for more accountability and timeliness. Problems heard on the ground usually refer to cloud storage access, unfit national legislation, hackers using stolen servers from other jurisdictions, as well as dealing with the dark net and encryption.

Going back to Europe, Mr Markus Hartmann, head of the Northrhine-Westphalian Central Cybercrime Department (Zentral- und Ansprechstelle Cybercrime, ZAC NRW), emphasised possible solutions to the problem of increasing sophistication of cyberattacks. He said the same case can be investigated in 16 other German states, which is a waste of resources. As for solutions, Hartmann first brought up quicker access, by saying that immediacy of access is key. Second, efficiency of investigation and common agreed standards would aid global enforcement efforts. Last, he encouraged distributed prosecution clusters as a new way of cooperation. He said mechanism of mutual legal assistance should be brought to the international scale.

Ms Maria Angela Biasiotti, researcher at the Institute of Legal Information Theory and Techniques (ITTIG), Italian National Research Council, focused on new ways for cooperation between stakeholders. Data is always ‘somewhere in the cloud’, she said, stored, fragmented and moved between servers across jurisdictions. Service providers appear to be above the law because they determine if they cooperate. According to Biasiotti, common framework should be developed for requesting and processing categories of data. Also, common interpretation of types of electronic devices can be helpful. She emphasised that the point is to address technical policy but also societal questions.

‘Criminals cooperate and don’t feel hampered by borders’, said Mr Patrick Curry, director at British Business Federation Authority (BBFA).  Making places safer to do business means more collaboration. Governments create legislation without putting in place the behaviours for collaboration to occur. Accountability, traceability in the supply chains, border control, national security are crucial in the prevention space. Collaborative risk management can be improved because currently law enforcement prosecutes without the government and the industry. Curry proposed to include law enforcement in developing collaborative standards, to establish trust mechanisms and to create work groups more in ICANN and similar bodies.

By Jana Mišić