CLOUD COMPUTING WORKSHOP LEGAL ASPECTS OF THE CLOUD Brussels, March 1, 2012 Prof. Dr. Giuseppe Vaciago Vaciago, Cybercrime Page: 1 US PATRIOT ACT • The Patriot Act is extraterritorial in application (Section 215 and Section 505). Under this Act, U.S. authorities are entitled to subpoena business records from any company that has: i. “minimum contacts” with the U.S. ii “possession, custody or control” of the targeted data The Director of the Federal Bureau of Investigation or a designee of the Director (whose rank shall be no lower than Assistant Special Agent in Charge) may make an application for an order requiring the production of any tangible property (including books, records, papers, documents, and other items) for an investigation for protecting against international terrorism or clandestine intelligence activities, provided that such investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment of the Constitution [...] Patriot Act, Sec. 215. Access To Records And Other Items Under The FISA Vaciago, Cybercrime Page: 2 IS IT A DATA PROTECTION ISSUE ? • • “The Data Protection directive shall not apply to the processing of personal data or in any case to processing operations concerning public security, defence, State security and the activities of the State in areas of criminal law” (Art. 3 Directive 95/46/EC) Recent proposal for a Directive on the protection of individuals with regard to personal data by competent authorities for the purpose of detecting criminal offences shall not apply in the course of an activity which falls outside the scope of Union law, in particular concerning national security (Art. 1, 2b) Vaciago, Cybercrime Page: 3 EU POSITION – AUGUST 2011 • August, 23, 2011, Vivian Reding (E006901/2011 – Answer to parliamentary question): • “In accordance with international public law, and in the absence of a recognised jurisdictional link, a foreign law or statute cannot directly impose legal obligations on organisations or undertakings established in a third country regarding the activities performed within the territory of that third country” Vaciago, Cybercrime Viviane Reding - Vice-President of the European Commission Page: 4 IT IS A JURISDICTION ISSUE • Territorial principle: the Court in the place where the data is located has jurisdiction. • Nationality principle: the nationality of the perpetrator is the factor used to determine criminal jurisdiction. • “Flag” principle: crimes committed on ships, aircraft and spacecraft are subject to the jurisdiction of the flag state. • “Power of Disposal Approach”: Law enforcement would only have to legally obtain username and password of the suspect’s computer. Vaciago, Cybercrime Jan Spoenle (Germany) for the Economic Crime Division of the Council of Europe Page: 5 EU COMPANIES • “CloudSigma is operated and controlled by a Swiss AG, which is not subject to direct or indirect U.S. control” • “City Cloud and Several Nines offer a partnership safe-haven from the Patriot Act in Sweden” • Amazon Web Services (AWS) is subject to the US Patriot Act but the chief technology officer, Werner Vogels, encrypts private data for transit to the Cloud — and for employing best practice when it comes to classifying data Vaciago, Cybercrime Page: 6 NON-US NATIONAL SECURITY LAWS • French Act No. 2011/267 of 14 March 2011 on the prevention of International terrorism • Spain Act No. 12/2003 of 21 March 2003 on the prevention of terrorism financing • Italy Act No. 144/2005 of 27 July 2005 on the prevention of International terrorism • Canadian Anti-Terrorism-Act No. C-36 18 December 2001 seems to grant powers similar to those of the Patriot Act Vaciago, Cybercrime Page: 7 JURISDICTION – YAHOO! CASE • In 2009, the US- based company, Yahoo, was imposed a fine by a Belgian Criminal Court for failing to identify the users of a number of webmail accounts • This judgment was overturned by the Court of Appeal of Ghent in 2010 • In January 2011, however, the Belgian Supreme Court reversed the Court of Appeal’s decision • In October 2011, the decision was referred back to the Court of Appeal which decided that Yahoo! was not subject to Belgian jurisdiction Vaciago, Cybercrime Page: 8 EU POSITION – DECEMBER 2011 December 6, 2011 Vivian Reding 2nd Annual European Data Protection and Privacy Conference - Brussels: •“I am reading in the press about a Swedish company whose selling point is that they shelter users from the US Patriot Act and other attempts by third countries to access personal data” •“Well, I do encourage cloud computing centres in Europe, but this cannot be the only solution. We need free flow of data between our continents. And it doesn't make much sense for us to retreat from each other” Vaciago, Cybercrime Page: 9 CONCLUSIONS • The real issue with Cloud computing is a loss of data location due to: (i) “Data at rest” does not reside on the device. “Data in transit” cannot be easily analyzed because of encrypting all traffic. “Data in execution” will be present only in the cloud instance (ii) Virtualization and cloud communication protocols. The investigator who wants to capture the bit-stream data of a given suspect image will be in the same situation as someone who has to complete a jigsaw puzzle, whose pieces are scattered randomly across the globe Vaciago, Cybercrime Page: 10 CONCLUSIONS • Terrorism and Cyber-terrorism represent a very serious global threat and operate on a transnational basis out of necessity 11064 ATTACKS IN 2010 • Over 11,500 terrorist attacks occurred in 72 countries in 2010, resulting in approximately 50,000 victims, including almost 13,200 deaths • The number of attacks rose by almost 5 per cent over previous year NATIONAL COUNTERTERRORISM CENTER 2010 REPORT ON TERRORISM Vaciago, Cybercrime Page: 11 CONCLUSIONS • The Patriot Act has been copied in many countries, including Canada, with rules that are not that dissimilar to the American ones • The Canadian Anti-Terrorism-Act (ATA), shortly after September 11, 2001, was combined with the National Defense Act (NDA) giving a Minister (Defense) the power to authorize investigation of data storage at home and abroad Vaciago, Cybercrime The Minister of Defense’s authorization is required for the Communications Security Establishment to intercept foreign communications targeted against a nonCanadian abroad that may have a Canadian connection, or to undertake security checks of government computer networks to protect them from terrorist activity [...] Anti-Terrorism-Act (Review of 2004) Canadian Department of Justice Page: 12 CONCLUSIONS • Without referring to Cloud computing, everyday, the transactions of millions of users using credit cards with U.S.based providers are monitored. Section 326 of the US Patriot Act requires all financial institutions (this includes Credit Card processing companies) to obtain, verify and record information that identifies each person who ‘opens, changes or charges’ an existing account. The regulations shall, at a minimum, require financial institutions to implement, and customers (after being given adequate notice) to comply with, reasonable procedures for: (a) verifying the identity of any person seeking to open an account to the extent reasonable and practicable; (b) maintaining records of the information used to verify a person’s identity, including name, address, and other identifying information; and (c) consulting lists of known or suspected terrorists or terrorist organizations provided to the financial institution by any government agency […] Patriot Act, Identification Vaciago, Cybercrime Sec. 326. Verification of Page: 13 CONCLUSIONS • Without referring to Cloud computing, projects relating to face recognition are increasingly making it possible, and with ever greater reliability, to track a person's movements, even globally. 3 factors are important: (a)Increasing public self‐disclosures through online social networks (2.5 billion photos uploaded by Facebook users alone per month in 2010) (b)Identified profiles in online social networks (c)Improvements in face recognition accuracy * * A. Acquisti, Faces Of Facebook - Or, How The Largest Real ID Database In The World Came To Be Vaciago, Cybercrime Page: 14 CONCLUSIONS • Even if the goal of the Digital Due Process is review of the ECPA, it may represent an excellent solution to the tension between due process and civil liberties around the world • 3 important guidelines: (i) Technology and Platform Neutrality (ii) Assurance of Law Enforcement Access and (ii) Equality Between Transit and Storage • However, I believe it should have a strong EU identity, as this is of crucial importance for ensuring greater EU-US co-operation in this scheme, too Vaciago, Cybercrime Page: 15 Cybercrime Research Institute Giuseppe Vaciago Niehler Str. 35 D-50733 Cologne, Germany vaciago@cybercrime.de www.cybercrime-institute.com Vaciago, Cybercrime Page: 16