Cloudy Jurisdiction: Addressing the thirst for Cloud Data in Domestic Legeal Processes

by Prasad Krishna — last modified Dec 09, 2012 01:00 AM

Elonnai Hickok was a panelist at this workshop held at the IGF in Baku, Azerbaijan on November 7, 2012. The workshop was co-organised by Electronic Frontier Foundation (Peru) and University of Ottawa.

The use of cloud services is rising globally. Cloud computing and storage are uniquely tailored to take full advantage of our increasingly networked environment. However, a move to the cloud also entails tangible challenges as vast repositories of information once kept within the sacrosanct safety of the home computer are placed on a remote server in the control of a third party. While the protections of home storage and processing can be replicated in the cloud, legal norms have been slow to adopt. Jurisdiction, the classic internet governance question, is raised in particularly stark contrast in the move to the cloud, as placing user data can subject that data to the legal access laws of any (or even many) jurisdictions in the world.

While there are indicators that such data is being accessed at increasing and alarming rates, globally, yet even the dimensions of the problem remain obscure. What is needed is a set of shared international norms relating to transparency, data sovereignty and lawful access to private information. In recent years, however, International forums have appeared much more eager to adopt international standards for data access (be it to combat cybercrime, secure critical infrastructure, or help intellectual property holders uncover alleged infringers of their rights) than for data sovereignty. Standards need to be developed that will provide a basis for the special challenges to cross-jurisdictional privacy that the move to the cloud highlights. This panel will examine the need for such a cross-jurisdictional framework, what one might look like, and, importantly, how one might bring such a framework about where the issue appears to be a low priority for many national governments.

Agenda
The objective of this panel is to attempt to resolve some of the trans-border threats to civil liberties that are posed by the move to the cloud. If a baseline of privacy protection can be assured at the international level, concerns over limiting data flows on the basis of jurisdiction will be alleviated. This panel will be divided into two parts. The first part will discuss some of the challenges raised by the cloud environment for traditional civil liberties paradigms. The discussion in part two will be solution-driven—what rules can be put in place at the international level to alleviate the heightened risk to privacy and other civil liberties raised by a cloud-centric model.

Part 1: Cloud-based threats to cross-border civil liberties (45 mins)
This part will discuss some of the challenges to civil liberties arising from a cross-border cloud-based environment. The panel will be further sub-divided into 25-30 minutes of panelist input, followed by 15-20 minutes of general discussion. Panelists will be asked to spend 3-5 minutes highlighting what they view as the most pressing of these challenges may be.

This might include specific recurring problems that have arisen in many comparable online contexts, as they relate to the cloud such as, for example:

legal obligations to build in intercept capacity into Internet services (compare CALEA 2.0 efforts in US, Lawful Access in Canada, and domestic server obligations such as those imposed on RIM by India and others in order to facilitate access to data that is encrypted in transit).
Concerns that many legal regimes permit voluntary conduct without adequate safeguards for political pressure on companies, particularly smaller businesses, to comply with requests.
Inability to challenge surveillance laws because the programs are shrouded in secrecy, because individuals are never made aware they have been surveilled, because of standing issues, etc.
Ability for ‘one-stop access’: cloud centralizes mass amounts of data in one place. This concentration as well as a general erosion of traditional criteria designed to ensure surveillance is targeted in a way that impacts minimally on the general populace.
Nascent suggestions of informal information sharing arrangements through MLATs and less transparent more informal arrangements.

Part 2: Adopting protections at the International level (45 mins.)
The discussion in Part 2 will focus on how some of these problems can be addressed at the international level by adoption of a set of principled protections designed to meet the realities of online and specifically cloud services. The focus is on problem resolution.

Format for Part 2 will mirror that of Part 1. Panelists will be provided with 3-5 minutes each and asked to present their views on one or two solutions that can be adopted at the international level to the problems presented in part 1. The remainder (20-25 minutes) will be dedicated to general discussion.

It is hoped that the discussion will explore specific protections that might be adopted at the international level, how to advance those solutions, and what strategies can generally advance these objectives, on the advocacy front, by use of transparency tools to increase awareness of some of the issues.

Questions to think about:

Historically, interception of communications received the strongest protection at law, but it relied to a great extent on the act of interception coinciding with the communication itself. Should we be expanding this to other means of communications?
Do we have effective mechanisms to immunize private organizations from political pressure to voluntarily share information? Particularly, a lot of small companies can now have a lot of information. Are they well equipped to resist political pressure
Does the content/traffic data distinction still hold? Do we need a new framework for analysing the types of data produced as a natural byproduct of our online activities?
Can the MLAT regime form the basis for ensuring fundamental rights are respected in legitimate cross-border surveillance activities? If so, what would it take to have it reflect a baseline of protections?
Is it feasible to develop and formally adopt detailed limitations on state access at the international or regional level?
Is cloud-based info susceptible to unauthorized state access in new ways? Is this something the law can fix (mandate encryption in storage or other safeguards)? Social engineering concerns?

Background Reading:

The Draft International Principles on Surveillance & Human Rights: http://necessaryandproportionate.org/
Global Network Initiative, "Principles on Freedom of Expression and Privacy", http://www.globalnetworkinitiative.org/sites/default/files/GNI_-_Principles_1_.pdf
I. Brown & D. Korff, “Digital Freedoms in International Law”, GNI 2012, http://wsms1.intgovforum.org/sites/default/files/Digital%20Freedoms%20in%20International%20Law.pdf
J. McNamee, “Internet Intermediaries: The New Cyberpolice?”, GIS Watch, http://www.giswatch.org/sites/default/files/gisw_-_internet_intermediaries_-_the_new_cyber_police_.pdf
A. Escudero-Pascal & G. Hosein, "The Hazards of Technology-Neutral Policy: Questioning Lawful Access to Traffic Data", (2004) 47(3) ACM 77, http://web.it.kth.se/~aep/PhD/docs/paper6-acm-1905-reviewed_20021022.pdf
HRC, “Protect, Respect and Remedy: A Framework for Business and Human Rights”, April 2008, A/HRC/8/5, http://198.170.85.29/Ruggie-report-7-Apr-2008.pdf
HRC, “Guiding Principles on Business and Human Rights: Implementing the United Nations ‘Protect, Respect and Remedy” Framework”, March 2011, A/HRC/7/31, http://www.ohchr.org/Documents/Issues/Business/A-HRC-17-31_AEV.pdf
ACLU, “New Justice Department Documents Show Huge Increase in Warrantless Electronic Surveillance”, Sept 2012, http://www.aclu.org/blog/national-security-technology-and-liberty/new-justice-department-documents-show-huge-increase

Organiser(s) Name:

Katitza Rodriguez, International Rights Director, Electronic Frontier Foundation (Peru)
Tamir Israel, Staff Lawyer, Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic (CIPPIC), University of Ottawa (Canada)

Previous Workshop(s):

Submitted Workshop Panelists:

Chair: Katitza Rodriguez, International Rights Director, Electronic Frontier Foundation; (US/Peru) (Civil Society) / Confirmed

Ian Brown, Senior Research Fellow, Oxford Internet Institute (EU) (Academic) / Confirmed
Bertrand de la Chapelle, Program Director at International Diplomatic Academy (EU) (Civil Society) / Confirmed
Marc Crandall, Global Compliance, Google (US) (Private Sector)
Elonnai Hickok, Policy Associate, Centre for Internet & Society (India) (Civil Society) /Confirmed
Sophie Kwasny, Head of Data Protection Unit, Data Protection & Cybercrime Division, Council of Europe (IGO) / Confirmed
Bruce Schneier, Chief Security Technology Officer of BT (US) (Private Sector) / Confirmed
Wendy Seltzer, Policy Counsel, W3C (US) (Technical Community) / Confirmed

Name of Remote Moderator(s): Paul Muchene, iHub Nairobi (Kenya) (Private Sector) Assigned Panellists: de La Chapelle - Bertrand Rodriguez - Katitza Brown - Ian Schneier - Bruce KWASNY - Sophie Seltzer - Wendy Crandall - Marc