2011_02_28_Cloud_Computing-ENack-1

advertisement
CLOUD COMPUTING WORKSHOP
LEGAL ASPECTS OF THE CLOUD
Brussels, March 1, 2012
Prof. Dr. Giuseppe Vaciago
Vaciago, Cybercrime
Page: 1
US PATRIOT ACT
•
The Patriot Act is extraterritorial in
application (Section 215 and Section
505). Under this Act, U.S. authorities
are entitled to subpoena business
records from any company that has:
i.
“minimum contacts” with the U.S.
ii “possession, custody or control” of
the targeted data
The Director of the Federal Bureau of
Investigation or a designee of the Director
(whose rank shall be no lower than Assistant
Special Agent in Charge) may make an
application for an order requiring the
production of any tangible property (including
books, records, papers, documents, and other
items) for an investigation for protecting
against international terrorism or clandestine
intelligence activities, provided that such
investigation of a United States person is not
conducted solely upon the basis of activities
protected by the first amendment of the
Constitution [...]
Patriot Act, Sec. 215. Access To Records And
Other Items Under The FISA
Vaciago, Cybercrime
Page: 2
IS IT A DATA PROTECTION ISSUE ?
•
•
“The Data Protection directive shall not
apply to the processing of personal
data or in any case to processing
operations concerning public security,
defence, State security and the
activities of the State in areas of
criminal law” (Art. 3 Directive 95/46/EC)
Recent proposal for a Directive on the
protection of individuals with regard to
personal data by competent authorities
for the purpose of detecting criminal
offences shall not apply in the course of
an activity which falls outside the scope
of Union law, in particular concerning
national security (Art. 1, 2b)
Vaciago, Cybercrime
Page: 3
EU POSITION – AUGUST 2011
•
August, 23, 2011, Vivian Reding (E006901/2011 – Answer to
parliamentary question):
•
“In accordance with international public
law, and in the absence of a
recognised jurisdictional link, a foreign
law or statute cannot directly impose
legal obligations on organisations or
undertakings established in a third
country regarding the activities
performed within the territory of that
third country”
Vaciago, Cybercrime
Viviane Reding - Vice-President of the
European Commission
Page: 4
IT IS A JURISDICTION ISSUE
•
Territorial principle: the Court in the
place where the data is located has
jurisdiction.
•
Nationality principle: the nationality of
the perpetrator is the factor used to
determine criminal jurisdiction.
•
“Flag” principle: crimes committed on
ships, aircraft and spacecraft are
subject to the jurisdiction of the flag
state.
•
“Power of Disposal Approach”: Law
enforcement would only have to legally
obtain username and password of the
suspect’s computer.
Vaciago, Cybercrime
Jan Spoenle (Germany) for the Economic
Crime Division of the Council of Europe
Page: 5
EU COMPANIES
• “CloudSigma is operated and controlled
by a Swiss AG, which is not subject to
direct or indirect U.S. control”
• “City Cloud and Several Nines offer a
partnership safe-haven from the Patriot
Act in Sweden”
• Amazon Web Services (AWS) is
subject to the US Patriot Act but the
chief technology officer, Werner Vogels,
encrypts private data for transit to the
Cloud — and for employing best
practice when it comes to classifying
data
Vaciago, Cybercrime
Page: 6
NON-US NATIONAL SECURITY LAWS
• French Act No. 2011/267 of 14
March 2011 on the prevention of
International terrorism
• Spain Act No. 12/2003 of 21 March 2003
on the prevention of terrorism financing
• Italy Act No. 144/2005 of 27 July 2005
on the prevention of International
terrorism
• Canadian Anti-Terrorism-Act No. C-36
18 December 2001 seems to grant
powers similar to those of the Patriot Act
Vaciago, Cybercrime
Page: 7
JURISDICTION – YAHOO! CASE
• In 2009, the US- based company, Yahoo,
was imposed a fine by a Belgian
Criminal Court for failing to identify the
users of a number of webmail
accounts
• This judgment was overturned by the
Court of Appeal of Ghent in 2010
• In January 2011, however, the Belgian
Supreme Court reversed the Court of
Appeal’s decision
• In October 2011, the decision was referred
back to the Court of Appeal which decided
that Yahoo! was not subject to Belgian
jurisdiction
Vaciago, Cybercrime
Page: 8
EU POSITION – DECEMBER 2011
December 6, 2011 Vivian Reding 2nd Annual European Data Protection and
Privacy Conference - Brussels:
•“I am reading in the press about a
Swedish company whose selling point is
that they shelter users from the US Patriot
Act and other attempts by third countries
to access personal data”
•“Well, I do encourage cloud computing
centres in Europe, but this cannot be the
only solution. We need free flow of data
between our continents. And it doesn't
make much sense for us to retreat from
each other”
Vaciago, Cybercrime
Page: 9
CONCLUSIONS
• The real issue with Cloud computing is
a loss of data location due to:
(i) “Data at rest” does not reside on the
device. “Data in transit” cannot be
easily analyzed because of encrypting
all traffic. “Data in execution” will be
present only in the cloud instance
(ii) Virtualization and cloud communication
protocols. The investigator who wants
to capture the bit-stream data of a
given suspect image will be in the same
situation as someone who has to
complete a jigsaw puzzle, whose
pieces are scattered randomly across
the globe
Vaciago, Cybercrime
Page: 10
CONCLUSIONS
• Terrorism and Cyber-terrorism
represent a very serious global threat
and operate on a transnational basis
out of necessity
11064 ATTACKS IN 2010
• Over 11,500 terrorist attacks occurred
in 72 countries in 2010, resulting in
approximately 50,000 victims, including
almost 13,200 deaths
• The number of attacks rose by almost 5
per cent over previous year
NATIONAL COUNTERTERRORISM CENTER
2010 REPORT ON TERRORISM
Vaciago, Cybercrime
Page: 11
CONCLUSIONS
• The Patriot Act has been copied in
many countries, including Canada, with
rules that are not that dissimilar to the
American ones
• The Canadian Anti-Terrorism-Act
(ATA), shortly after September 11,
2001, was combined with the National
Defense Act (NDA) giving a Minister
(Defense) the power to authorize
investigation of data storage at home
and abroad
Vaciago, Cybercrime
The Minister of Defense’s authorization is
required for the Communications Security
Establishment to intercept foreign
communications targeted against a nonCanadian abroad that may have a Canadian
connection, or to undertake security checks of
government computer networks to protect
them from terrorist activity [...]
Anti-Terrorism-Act (Review of 2004)
Canadian Department of Justice
Page: 12
CONCLUSIONS
• Without referring to Cloud computing,
everyday, the transactions of millions of
users using credit cards with U.S.based providers are monitored. Section
326 of the US Patriot Act requires all
financial institutions (this includes
Credit Card processing companies) to
obtain, verify and record information
that identifies each person who ‘opens,
changes or charges’ an existing
account.
The regulations shall, at a minimum, require
financial institutions to implement, and
customers (after being given adequate notice)
to comply with, reasonable procedures for:
(a) verifying the identity of any person seeking
to open an account to the extent reasonable
and practicable;
(b) maintaining records of the information
used to verify a person’s identity, including
name, address, and other identifying
information; and
(c) consulting lists of known or suspected
terrorists or terrorist organizations provided to
the financial institution by any government
agency […]
Patriot Act,
Identification
Vaciago, Cybercrime
Sec.
326.
Verification
of
Page: 13
CONCLUSIONS
• Without referring to Cloud computing,
projects relating to face recognition are
increasingly making it possible, and
with ever greater reliability, to track a
person's movements, even globally. 3
factors are important:
(a)Increasing public self‐disclosures
through online social networks (2.5
billion photos uploaded by Facebook
users alone per month in 2010)
(b)Identified profiles in online social
networks
(c)Improvements in face recognition
accuracy *
* A. Acquisti, Faces Of Facebook - Or, How The Largest Real ID Database In
The World Came To Be
Vaciago, Cybercrime
Page: 14
CONCLUSIONS
• Even if the goal of the Digital Due
Process is review of the ECPA, it may
represent an excellent solution to the
tension between due process and civil
liberties around the world
• 3 important guidelines: (i) Technology
and Platform Neutrality (ii) Assurance of
Law Enforcement Access and (ii)
Equality Between Transit and Storage
• However, I believe it should have a
strong EU identity, as this is of crucial
importance for ensuring greater EU-US
co-operation in this scheme, too
Vaciago, Cybercrime
Page: 15
Cybercrime Research Institute
Giuseppe Vaciago
Niehler Str. 35
D-50733 Cologne, Germany
vaciago@cybercrime.de
www.cybercrime-institute.com
Vaciago, Cybercrime
Page: 16
Download