When dealing with inter-jurisdictional boundaries of cloud computing, a cloud forensics examiner or law enforcement may have trouble with the lawful acquisition of digital evidence. It is ultimately important to understand how the law applies and obtain the appropriate warrants or permissions before the actual acquisition. It is further important to understand who owns the data and the relationship between entities.
According to Thomas Earl (2013), a Cloud Provider is the provider of cloud services (example – Google Drive) whereas the Cloud Consumer is the end user or organization utilizing the cloud service. The Attempting to acquire digital evidence without the proper permission or warrants could render the evidence as useless with an injunctive order of a motion to suppress or motion to quash. Additionally, if the cloud forensics examiner tries to access digital evidence that is unauthorized by the network owner, without the appropriate warrant or permissions, the forensic examiner may be committing a prosecutable crime themselves. In cloud computing, the logical boundaries that separate ownership can be a grey area so it is important to understand which areas a forensic examiner has legal access to.
According to Dykstra (2013), the first public case regarding the issuance of a warrant specifically for cloud services first occurred in 2011. This indicates that the courts have granted exclusive privilege for digital evidence acquisition on cloud services platforms as early as 2011. According to the federal rules of evidence, 47 CFR 14.42, evidence ‘in the defendant’s possession, custody, or control’ is considered permissible. In a previous case law ruling, Williams v. Angie’s List, an Indian court founded that cloud data, in fact, belonged and was under the control of the defendant.
Williams v. Angie’s List
“evidence before the Court demonstrates that Angie’s List and Salesforce have a longstanding contractual relationship and that the background data is recorded ‘for’ Angie’s List as part of the ordinary course of their business relationship. Even while end users such as Angie’s List ‘ordinarily’ do not access such data, the evidence clearly demonstrates that they are able to do so upon asking. In fact, the most compelling fact before the Court is that Angie’s List, despite dragging its feet and protesting vociferously, were actually able to retrieve and produce one year’s of the background data, collected for Angie’s List as part of its use of Salesforce’s sales platform, to Plaintiffs in discovery. The fact that Angie’s List has already produced one-third of the requested data, coupled with the evidence demonstrating the relationship between Angie’s List and Salesforce, compels the conclusion that Angie’s List has a ‘legal right to obtain’ the discovery sought.” (eDiscovery, 2017)
As case law and the legal system fight to implement strategies to modern-day technologies, we can continue to follow the progression of legal processes for multi-party involved evidence acquisition. For the time being, it appears it is a best practice to obtain additional warrants for cloud services or for the acquisition of data on networks that are not under the defendant’s personal control as required under the federal rules of evidence, or if it is not reasonable to assume that said forensic examiner has a right to acquire under the permissions of a court-issued warrant.
There is yet another legal consideration when it comes to the cloud consumer and cloud provider relationship. In an example provided by Dykstra (2013), a defendant is charged with a crime of hacking into a Cloud Consumer’s digital property, the prosecutor may subpoena logs from the legitimate user. Because the defendant may be accused of gaining unauthorized access into another unknowing Cloud Consumer’s online service and executed some sort of attack, the prosecutor/plaintiff may seek to subpoena the innocent bystander’s (unknowing Cloud Consumer) logs as other data may be private and unrelated to the case.
However, if the defendant deleted the logs, the court may provide a warrant within a certain scope or parameters for the privacy of the legitimate Cloud Consumer. A forensic examiner and plaintiff should develop a procedure to ensure that the plaintiff follows the scope of the subpoena/warrant and is able to justify all evidence obtained. The court may also require the forensic examiner to sign a non-disclosure agreement if the legitimate consumer’s private data being released to the public has the potential to cause loss to the legitimate Cloud Consumer.
The final challenge in the acquisition of digital evidence pertaining to cloud services relates to jurisdiction. In the United States, there are legal precedents in place to deal with multi-jurisdictional offenses. Dykstra (2013) examples the legal precedent of United States v. Drew (Rubel, 2009) in which a mother of a 13-year-old, had bullied her daughter’s in school ‘enemy’ under the fictitious Myspace account of a faux 16-year-old boy. The victim ultimately committed suicide and the defendant was charged under the Computer Fraud and Abuse Act.
The legal precedence, in this case, is most important for the fact that the events occurred in Missouri however the defendant was charged in California, as that is where Myspace was headquartered. Dykstra (2013) proceeds to state that “many people assume that the laws protecting data are those where the data physically exists…” however “…crimes are committed against the data owners in their forum state…” Under this, we can conclude that it is more appropriate to engage in prosecutions and civil litigation in the states in which the digital evidence is stored.
Ultimately, most of the legal challenges that cloud forensics examiners face in cloud service examinations pertain to data location and privacy. Prior to 2011, there were not any legal precedents for determining whether the federal rules of evidence declared cloud services as part of evidence. Afterwards, it was found that even cloud services could be considered under the defendant’s control and could be utilized in court proceedings. There may be situations when dealing with cloud services that innocent third parties could become involved. Those third parties must be considered when obtaining warrants or subpoenas for digital acquisition. A plan should be developed to minimize loss to innocent persons if a forensic examination extends to private data not related to the case. Lastly, in a situation where a case may span over multiple jurisdictions, it may be preferable to try the case in the forum state of the Cloud Provider.
Earl, Thomas. “Roles and Boundaries.” What is Cloud Computing? Roles and Boundaries, WhatIsCloud.com, 2013, whatiscloud.com/roles_and_boundaries/index.
Dykstra, Josiah. Seizing Electronic Evidence from Cloud Computing Environments. University of Maryland, Baltimore County, USA, 2013, www.csee.umbc.edu/~dykstra/Seizing-Electronic-Evidence-from-Cloud-Computing-Environments.pdf.
Staff, LII. “Federal Rules of Criminal Procedure.” LII / Legal Information Institute, 30 Nov. 2011, www.law.cornell.edu/rules/frcrmp.
Austin, Doug. “Loud Data is Within Defendant’s Possession, Custody and Control, Court Rules: eDiscovery Case Law.” EDiscovery Daily Blog, Cloudnine, 19 July 2017, www.ediscovery.co/ediscoverydaily/electronic-discovery/cloud-data-within-defendants-possession-custody-control-court-rules-ediscovery-case-law/.
For more information on investigative services provided services by Spectre Intelligence, see this link:
Spectre Intelligence is a private investigation and intelligence firm located in sunny Round Rock, TX (Austin area). If you need investigation or cybersecurity services, visit us at www.spectreintel.com and www.spectretechnology.com