Evidence in the cloud and the rule of law in cyberspace

Cybercrime is a reality. It is not just a matter of attacks against machines but a threat to the core values of democratic societies. This is illustrated by the proliferation of private data theft; by cyberattacks against the media, civil society organisations, parliaments and individuals; denial-of-service attacks against public institutions and critical infrastructure; sexual violence against children; xenophobia, racism and radicalisation; and terrorist misuse of information technologies.

Even when they are not committed against, or by using, computers, most criminal offences nowadays involve electronic evidence stored on computer systems, including on servers somewhere in the cloud. Electronic evidence is volatile and securing it for criminal justice purposes is fraught with technical, practical and legal complexities.

Governments cannot argue the problems away. They have an obligation to protect society and individuals against crime in cyberspace.

At the Council of Europe’s Octopus Conference on Cybercrime in June 2015, cybercrime experts from all over the world were asked about the rule of law online. Survey results showed they did not consider that “cyberspace is basically safe, that crime and violation of rights are the exception and that offenders are brought to justice.”

Most cybercrime is never reported, particularly in the private sector where organisations tend to stay clear of criminal justice. A large share of reported cybercrime is never investigated, few of the offences that are investigated result in prosecutions and, of those, few end up with court rulings.

Progress has been made in recent years, in Europe and worldwide, to establish legal frameworks, set up specialised cybercrime units at police and prosecutorial levels, and intensify international cooperation. The Council of Europe’s Budapest Convention on Cybercrime serves as a framework for cooperation for a growing number of countries. International police-to-police cooperation is improving with the support of organisations such as the European Cybercrime Centre at EUROPOL and the Global Complex for Innovation at INTERPOL.

Many governments are realising that considerable resources need to be allocated not just to protect critical information infrastructure but also to beef up the criminal justice response. Increasing investments in capacity building programmes by the European Union, the Council of Europe, the United Nations and others are beginning to yield results.

Nevertheless, the ability of governments to ensure the rule of law in cyberspace will remain limited unless they can overcome impediments to accessing data and thus to electronic evidence for criminal justice purposes. No data means no evidence, no justice and thus no rule of law.

Many investigations are abandoned for lack of data. This is also true for non-cybercrime offences which involve electronic evidence, including serious and violent crime, such as location data in murder cases, subscriber information related to a ransom e-mail sent during kidnappings, data to identify and locate victims of child abuse, or data on communications between terrorists.

The sheer scale of cybercrime, the number of devices, users and victims involved, and technical complications such as encryption or anonymisers, present major challenges for criminal justice.

These issues become much more complex in the context of cloud computing. While law-enforcement powers are tied to the principle of territoriality, data may be stored somewhere in the cloud, held by, or moved between, multiple layers of cloud service providers in various jurisdictions.

In the absence of clear international rules, governments increasingly take unilateral action. The result is a jungle of diverse approaches with risks for state-to-state relations and the rights of individuals

“Cloud services may entail a combination of service models (Cloud Software as a Service (SaaS), Cloud Platform as a Service (PaaS), Cloud Infrastructure as a Service (IaaS)). It is often unclear … which service provider is in possession or control of which type of data – subscriber information, traffic data, content data – so as to be served a production order” according to the Council of Europe’s Cybercrime Convention Committee in May 2015

Current mutual legal assistance practices are not sufficiently effective. To whom should a mutual legal assistance request be sent in such situations?

In the absence of clear international rules, governments increasingly take unilateral action. The result is a jungle of diverse approaches with risks for state-to-state relations and the rights of individuals.

That raises other fundamental issues: how to reconcile the need for efficient law-enforcement access to data while respecting rule-of-law and human-rights requirements; and how to avoid the trap of undermining the rule of law through actions meant to protect it?

Searches of computers, interception of communications or other law-enforcement powers can interfere with the rights of individuals. They must be prescribed by law, pursue legitimate aims, be necessary and proportionate, allow for effective remedies and be subject to guarantees against abuse.

For criminal procedures and coercive measures at domestic levels, safeguards are normally in place and rule-of-law conditions can be met, at least in democratic societies.

When it comes to access to evidence in foreign jurisdictions, the mutual legal assistance process is designed to ensure that conditions are met and the rights of individuals are protected.

This however presents a dilemma: how to allow for more efficient access to evidence in the cloud in order to strengthen the rule of law through criminal justice, and at the same time ensure that rule-of-law and human-rights conditions are met where current mutual legal assistance rules and procedures are of limited effectiveness.

The Cybercrime Convention Committee of the Council of Europe – comprising the State Parties to the Budapest Convention on Cybercrime – has been reflecting on this for some time. In December 2014, the Committee adopted a set of recommendations to render the mutual legal assistance process more efficient. At the same time, the Committee created a “Cloud Evidence Working Group” to identify additional solutions.

Specific proposals should become available in the course of 2016. They may take the form of non-binding guidelines or of an additional Protocol to the Budapest Convention on Cybercrime. Such a binding international legal instrument may be necessary to meet rule-of-law as well as data-protection requirements. It remains to be seen whether agreement can be reached on such a complex matter, but the Budapest Convention appears to be the most realistic framework for negotiating additional international rules.