Vaciago, Cybercrime Page: 1

CLOUD COMPUTING WORKSHOP

LEGAL ASPECTS OF THE CLOUD

Brussels, March 1, 2012

Prof. Dr. Giuseppe Vaciago

US PATRIOT ACT

• The Patriot Act is extraterritorial in application (Section 215 and Section 505). Under this Act, U.S. authorities are entitled to subpoena business records from any company that has:

i. “minimum contacts” with the U.S.

ii “possession, custody or control” of the targeted data

Page: 2Vaciago, Cybercrime

The Director of the Federal Bureau of Investigation or a designee of the Director (whose rank shall be no lower than Assistant Special Agent in Charge) may make an application for an order requiring the production of any tangible property (including books, records, papers, documents, and other items) for an investigation for protecting against international terrorism or clandestine intelligence activities, provided that such investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment of the Constitution [...]

Patriot Act, Sec. 215. Access To Records And Other Items Under The FISA

IS IT A DATA PROTECTION ISSUE ?

• “The Data Protection directive shall not apply to the processing of personal data or in any case to processing operations concerning public security, defence, State security and the activities of the State in areas of criminal law” (Art. 3 Directive 95/46/EC)

• Recent proposal for a Directive on the protection of individuals with regard to personal data by competent authorities for the purpose of detecting criminal offences shall not apply in the course of an activity which falls outside the scope of Union law, in particular concerning national security (Art. 1, 2b)

Page: 3Vaciago, Cybercrime

EU POSITION – AUGUST 2011

• August, 23, 2011, Vivian Reding (E-006901/2011 – Answer to parliamentary question):

• “In accordance with international public law, and in the absence of a recognised jurisdictional link, a foreign law or statute cannot directly impose legal obligations on organisations or undertakings established in a third country regarding the activities performed within the territory of that third country”

Page: 4Vaciago, Cybercrime

Viviane Reding - Vice-President of the European Commission

IT IS A JURISDICTION ISSUE

• Territorial principle: the Court in the place where the data is located has jurisdiction.

• Nationality principle: the nationality of the perpetrator is the factor used to determine criminal jurisdiction.

• “Flag” principle: crimes committed on ships, aircraft and spacecraft are subject to the jurisdiction of the flag state.

• “Power of Disposal Approach”: Law enforcement would only have to legally obtain username and password of the suspect’s computer.

Page: 5Vaciago, Cybercrime

Jan Spoenle (Germany) for the Economic Crime Division of the Council of Europe

EU COMPANIES

• “CloudSigma is operated and controlled by a Swiss AG, which is not subject to direct or indirect U.S. control”

• “City Cloud and Several Nines offer a partnership safe-haven from the Patriot Act in Sweden”

• Amazon Web Services (AWS) is subject to the US Patriot Act but the chief technology officer, Werner Vogels, encrypts private data for transit to the Cloud — and for employing best practice when it comes to classifying data

Page: 6Vaciago, Cybercrime

NON-US NATIONAL SECURITY LAWS

• French  Act  No.  2011/267 of 14 March  2011 on the prevention of International terrorism

• Spain Act No. 12/2003 of 21 March 2003 on the prevention of terrorism financing

• Italy Act No. 144/2005 of 27 July 2005 on the prevention of International terrorism

• Canadian Anti-Terrorism-Act No. C-36 18 December 2001 seems to grant powers similar to those of the Patriot Act

Page: 7Vaciago, Cybercrime

JURISDICTION – YAHOO! CASE

• In  2009,  the  US- based   company, Yahoo, was   imposed   a   fine   by   a   Belgian Criminal   Court   for   failing   to   identify   the users   of   a   number   of   webmail  

accounts • This  judgment  was  overturned  by  the  

Court  of  Appeal   of  Ghent  in  2010• In   January   2011,   however,   the  

Belgian Supreme   Court   reversed   the   Court  of  Appeal’s  decision

• In October 2011, the decision was referred back to the Court of Appeal which decided that Yahoo! was not subject to Belgian jurisdiction

Page: 8Vaciago, Cybercrime

EU POSITION – DECEMBER 2011

December 6, 2011 Vivian Reding - 2nd Annual European Data Protection and Privacy Conference - Brussels:

•“I am reading in the press about a Swedish company whose selling point is that they shelter users from the US Patriot Act and other attempts by third countries to access personal data”•“Well, I do encourage cloud computing centres in Europe, but this cannot be the only solution. We need free flow of data between our continents. And it doesn't make much sense for us to retreat from each other”

Page: 9Vaciago, Cybercrime

CONCLUSIONS

• The real issue with Cloud computing is a loss of data location due to:

(i) “Data at rest” does not reside on the device. “Data in transit” cannot be easily analyzed because of encrypting all traffic. “Data in execution” will be present only in the cloud instance

(ii)Virtualization and cloud communication protocols. The investigator who wants to capture the bit-stream data of a given suspect image will be in the same situation as someone who has to complete a jigsaw puzzle, whose pieces are scattered randomly across the globe

Page: 10Vaciago, Cybercrime

CONCLUSIONS

• Terrorism and Cyber-terrorism represent a very serious global threat and operate on a transnational basis out of necessity

• Over 11,500 terrorist attacks occurred in 72 countries in 2010, resulting in approximately 50,000 victims, including almost 13,200 deaths

• The number of attacks rose by almost 5 per cent over previous year

Page: 11Vaciago, Cybercrime

NATIONAL COUNTERTERRORISM CENTER2010 REPORT ON TERRORISM

11064 ATTACKS IN 2010

CONCLUSIONS

• The Patriot Act has been copied in many countries, including Canada, with rules that are not that dissimilar to the American ones

• The Canadian Anti-Terrorism-Act (ATA), shortly after September 11, 2001, was combined with the National Defense Act (NDA) giving a Minister (Defense) the power to authorize investigation of data storage at home and abroad

Page: 12Vaciago, Cybercrime

The Minister of Defense’s authorization is required for the Communications Security Establishment to intercept foreign communications targeted against a non-Canadian abroad that may have a Canadian connection, or to undertake security checks of government computer networks to protect them from terrorist activity [...]

Anti-Terrorism-Act (Review of 2004)Canadian Department of Justice

CONCLUSIONS

• Without referring to Cloud computing, everyday, the transactions of millions of users using credit cards with U.S.-based providers are monitored. Section 326 of the US Patriot Act requires all financial institutions (this includes Credit Card processing companies) to obtain, verify and record information that identifies each person who ‘opens, changes or charges’ an existing account.

Page: 13Vaciago, Cybercrime

The regulations shall, at a minimum, require financial institutions to implement, and customers (after being given adequate notice) to comply with, reasonable procedures for:(a) verifying the identity of any person seeking to open an account to the extent reasonable and practicable; (b) maintaining records of the information used to verify a person’s identity, including name, address, and other identifying information; and (c) consulting lists of known or suspected terrorists or terrorist organizations provided to the financial institution by any government agency […] Patriot Act, Sec. 326. Verification of

Identification

CONCLUSIONS

• Without referring to Cloud computing, projects relating to face recognition are increasingly making it possible, and with ever greater reliability, to track a person's movements, even globally. 3 factors are important:

(a)Increasing public self‐disclosures through online social networks (2.5 billion photos uploaded by Facebook users alone per month in 2010)

(b)Identified profiles in online social networks

(c)Improvements in face recognition accuracy *

* A. Acquisti, Faces Of Facebook - Or, How The Largest Real ID Database In The World Came To Be

Page: 14Vaciago, Cybercrime

CONCLUSIONS

• Even if the goal of the Digital Due Process is review of the ECPA, it may represent an excellent solution to the tension between due process and civil liberties around the world

• 3 important guidelines: (i) Technology and Platform Neutrality (ii) Assurance of Law Enforcement Access and (ii) Equality Between Transit and Storage

• However, I believe it should have a strong EU identity, as this is of crucial importance for ensuring greater EU-US co-operation in this scheme, too

Page: 15Vaciago, Cybercrime

Page: 16

Cybercrime Research InstituteGiuseppe Vaciago

Niehler Str. 35D-50733 Cologne, Germany

vaciago@cybercrime.dewww.cybercrime-institute.com

Vaciago, Cybercrime