Privacy in the Cloud is on the edge

Privacy in the Cloud is on the edge
By Simon Davies

scales-of-justice-gavel_4

Over the past two years, the US and UK governments have been aggressively moving to further undermine privacy protection for access to data in the Cloud. In the first of a two-part series, Simon Davies reports on a landmark US case being contested by Microsoft and a secret trans-Atlantic law enforcement access deal. In the second part he assesses the response of NGOs, academics and privacy regulators.

Hundreds of millions of people entrust their most sensitive personal information to the care of private companies. They routinely upload correspondence, images, medical files, browsing habits and intimate profile data to servers that are often located in remote jurisdictions.

However, they do so with the clear understanding that any third party (such as government agencies) would only gain access to that information via clear and transparent processes that are internationally agreed. Facebook’s US privacy policy, for example, states that the company may disclose information to other countries “where we have a good faith belief that the response is required by law in that jurisdiction, affects users in that jurisdiction, and is consistent withinternationally recognized standards.”

Despite rising sensitivities about the need for protection of this vast reserve of information, some governments are moving swiftly to circumvent those standards and to seize private information, both by stealth and through judicial short-cuts. It would be reasonable in such circumstances that users would find such measures intolerable. Many would expect companies to defend data to the greatest extent that the law provides.

Despite rising sensitivities about the need for protection of this vast reserve of information, some governments are moving swiftly to circumvent those standards and to seize private information, both by stealth and through judicial short-cuts

.

This dynamic is precisely what’s happening now, both in the US and in the UK. The implications – particularly in the Cloud – for global privacy are immense and are worth some time to contemplate.

Let’s look first at a relevant US judicial development, where over the past two years, a fascinating – and groundbreaking – legal case has been unfolding. Given its importance to the future of privacy and public security in the information age, this case has received surprisingly little attention in the international press.

The case centres on a December 2013 US Department of Justice (DoJ) warrant application demanding the surrender of Microsoft user emails held in the company’s Dublin data centre. Microsoft is challenging the legal basis of the warrant and the company appears prepared to take the issue right through to the Supreme Court. This has already become a legal test of gladiatorial proportions.

The DoJ’s application was made pursuant to a drug trafficking investigation (allegedly) involving the now defunct Silk Road darkweb trading site. Silk Road has been an obsession of the DoJ since the site’s inception in 2011, even though its principal was subsequently jailed for life with no hope of parole. Still, the DoJ wanted to secure a legal guarantee that would ensure in future it could seize data anywhere in the world that are controlled by US companies. In serving a warrant on Microsoft, the DoJ had figured the courts would buy its argument that a company based in the US would be required to hand over any data under its control – wherever that data resided. Events did not turn out the way the DoJ had anticipated.

For a start, Microsoft made the argument that in the circumstances of this case, the company risks breaching Irish law. And of course if US courts demand disclosure, the company would be in breach of US law. Welcome to the complexities of Cloud!

The Microsoft case will ultimately determine whether US search warrants may be used to search for and seize digital information stored outside the United States. In other words, this case will decide the protection of (and access to) a huge amount of Cloud data on more than a billion people.

The Microsoft case will ultimately determine whether US search warrants may be used to search for and seize digital information stored outside the United States. In other words, this case will decide the protection of (and access to) a huge amount of Cloud data on more than a billion people.

Not wanting to state the obvious, but it goes without saying that this case isn’t about whether you support a drug prohibition regime or not. It’s about the rule of law. If our justice departments cannot meticulously respect the conditions of law, then there can be no certainty or fairness in the sharing of personal information among government agencies. In such a scenario, both privacy and public safety are imperilled.

Microsoft’s challenge is based on the principle that United States courts cannot authorize searches and seizures of digital information stored overseas. It argues that if the United States government does not have the power to execute a physical search and seizure in another country (for example, to conduct a house search in Germany), the same limit should also apply to warrant applications for the search and seizure of email data stored overseas.

This is no straightforward matter. The challenge of enabling legitimate third-party access to personal data was never simple – but it becomes infinitely more complex when the requested information resides in another nation. Country X making a request to a company with operations in country Y can often expect delays and uncertainty before (or even if) information is handed over.

There are exceptions. When the ideal relationship is established between parties, the process can be conducted in almost real time. In testimony to the US Congress, Microsoft president Brad Smith recalled:

On a January morning last year the French Government sought the contents of emails from two customer accounts held by Microsoft, as it pursued the two terrorist suspects who were at large after the Charlie Hebdo attacks in Paris. It was apparent that information stored in the cloud was vital for the protection of public safety. The French authorities contacted the FBI in the United States and the FBI served upon us a lawful emergency request under U.S. law. Despite the fact that the FBI’s letter arrived electronically at 5:47 a.m. on the west coast of the United States, we were able to assess its validity under U.S. law, conclude it was proper, pull the email content in question, and deliver it to the FBI in New York all in exactly 45 minutes. In short, there are times, especially in emergency situations, when international legal processes for cloud technology can work well.”

Traditionally, however, this is seldom the situation. Police organisations do not provide harmonised, adequate or consistent training and support for such international operations. There are vast language barriers and an equally problematic lack of understanding about respective legal processes.

Nonetheless, police, security and other entities routinely approach companies to access stored data about customers. This activity is accelerating. Companies such as Google are reporting that data requests have more than doubled over the past three years.

In many cases – conscious of legal constraints – agencies will specify primary “non content” transactional data such as usernames, e-mail addresses, gender, geographic location, IP addresses and dates and times of online traffic rather than the secondary content such as the body of messages which often carry a higher legal test for disclosure.

However, in circumventing the use of the MLAT process, the US government has asserted that domestic legal systems can trump established international legal procedures. If this argument prevails, other nations will see it as a mandate to do the same.

Such requests are not a peripheral activity. In 2012 Microsoft and Skype published their first transparency report, showing that the companies received a combined 75,378  such requests for customer information, which potentially involved data from 137,424 accounts from services such as Hotmail, SkyDrive, Outlook.com, Xbox LIVE and Skype.

The Microsoft figures produced a few surprises. First among these was the finding that the company rejected over eighteen percent of requests, either because of concerns over procedure and legality, or because no data were found. In 2016 the company reported that this figure had risen to almost thirty percent. These figures raise disquieting questions about the competence of the agencies making such requests.

Many people believe this situation needs to be resolved. As the realm of digital communications accelerates – and as law enforcement and security agencies find greater scope to access troves of personal information – there’s a pressing need for solutions that are both efficient and safe.

The way these data transfers have often been executed in past years has been through a web of Mutual Legal Assistance Treaties (MLATs). These legal devices are supposed to streamline data requests and provide assurance that due process has been fulfilled.

However, in circumventing the use of the MLAT process, the US government has asserted that domestic legal systems can trump established international legal procedures. If this argument prevails, other nations will see it as a mandate to do the same.

Microsoft argues that the US has entered into many MLATs that establish specific procedures for obtaining evidence in other countries. The company argues that the U.S. government should request overseas data by using the MLAT procedures. By seeking information through a warrant, rather than through MLATs, the U.S. government is frustrating the purpose of those agreements.

In response, the DoJ argues that the warrant was served on Microsoft inside the United States and the data is within Microsoft’s control. The company, it claims, thus has a legal obligation to disclose the information. The DoJ also provocatively asserts that Microsoft’s position has already interfered with investigations and caused uncertainty and confusion, though factual support for that view remains anecdotal at best.

The implications are substantial. If Microsoft is required to violate Ireland’s laws (the company was subsequently held in contempt of court for refusing to cooperate) this could signal a global free-for-all where any nation (Russia, China, Turkey) could assert an extraterritorial claim.

The implications are substantial. If Microsoft is required to violate Ireland’s laws (the company was subsequently held in contempt of court for refusing to cooperate) this could signal a global free-for-all where any nation (Russia, China, Turkey) could assert an extraterritorial claim

The case moved slowly but inexorably. After December 2013, when the District Court issued the warrant. Microsoft refused to comply and moved to have the content element quashed from the warrant. The company was then held in contempt of court.

In April 2014 the District Court refused Microsoft’s motion, then in September 2015 argument began in Microsoft’s appeal to the Second Circuit Court of Appeals

To the surprise of many, in July 2016 the Second Circuit ruled in favour of Microsoft. The will of Congress at the time it passed the Stored Communications Act was not that the government should have access to data held overseas. Three months later, in October 2016, the DoJ announced that it will appeal to the full Second Circuit bench. A decision on this case is imminent. That course of action by the DoJ not expected until Spring. That decision has been questioned by US lawmakers.

This does not mean the DoJ has put all its eggs in the one basket. This year it drafted legislation, currently before Congress, that will establish a basis for such transfers based on mutual recognition of “human rights standards”. This is a novel approach that goes some way to promising a solution, but it has provoked a schism among civil society and legal experts. The key problem is how, precisely, those standards should be agreed and which processes should be openly created, Two academics, in particular – Jennifer Daskal and Andrew Woods – have produced strong pragmatic arguments in favour of the approach. The reaction of European NGOs has been overwhelmingly skeptical, with few organisations trusting the US government to fairly apply and conform to such standards.

A major part of this issue concerns the “beta test” for the new law – the United Kingdom. While the new provisions require the US to create enabling legislation and a transparent process, no such condition applies to the UK. More important, the trans-Atlantic agreement has not been published, nor have any of the procedures that led up to it. Interestingly, in this case, Th US has striven to apply transparent standards, while the UK has not , This prompted the Electronic Privacy Information Center (EPIC) this month to file a Freedom of Information Act request to view the text and the relevant files.

EPIC’s suit is critically important. If there is no transparency of such processes, there can be no trust. In the second part of this series I will delve into how civil society and academics are responding to this important issue.

December 1, 2016 at 03:57PM
via The Privacy Surgeon http://ift.tt/2h2x6jU

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s