Digital evidence and ‘cloud’ computing

  • Published on

  • View

  • Download

Embed Size (px)


<ul><li><p>Digital evidence and cloud computing</p><p>a b,1</p><p>uti</p><p>ica</p><p>dis</p><p>in t</p><p>t th</p><p>in</p><p>on</p><p>ting,</p><p>description of the ephemeral nature of the</p><p>the services are offered.2 Just as a cloud</p><p>air, hea</p><p>f the cl</p><p>ers of</p><p>icle, c</p><p>haracte</p><p>puting</p><p>charac</p><p>interaction.</p><p>1 The authors thank Burkhard Schafer, Professor of Computational Legal Theory, School of Law, University of Edinburgh, and Co-</p><p>duction, available at; also useful is Cloud Security Alliance, Security Guidancefor Critical Areas of Focus in Cloud Computing V2.1 (December 2009), available at One technical definition of cloud computing has been offered by Peter Mell and Tim Grance of the National Institute of Standards and</p><p>Technology, Information Technology Laboratory:Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources(e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal managementeffort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, threeservice models, and four deployment models.</p><p>loud-computing/index.html.</p><p>ava i lab le a t iencedi rec t .com</p><p>www.compsecon l ine .com/publ i ca t ions /prodc law.h tm</p><p>c om p u t e r l aw &amp; s e c u r i t y r e v i ew 2 7 ( 2 0 1 1 ) 5 2 4e5 2 8Version 15 (10-7-09), available at of the Joseph Bell Centre for Forensic Statistic and Legal Reasoning and Alexander Seger of the Council of Europe for theircomments on this paper. The views expressed and conclusions reached remain the sole responsibility of the authors.2 A paper entitled Introduction to cloud computing architecture (June 2009) by Sun Microsystems provides a useful technical intro-in the definition provided by the National Institute of Stan-</p><p>dards and Technology (NIST) comprise:</p><p>(a) An ability to use the facilities of a computer or num-</p><p>ber of computers, such as server time and network</p><p>different providers at any time in order to satisfy the</p><p>rise and fall in demand, or to enable the provider to</p><p>increase themargin of profit. The customer tends not to</p><p>have any control over the exact location of the</p><p>computing resources, although they might be able toprovide a service. The five essentialdisappear rapidly, and the forces of</p><p>will change the internal dynamic o</p><p>offered over the Internet by provid</p><p>equally as transitory. In this art</p><p>described by reference to a set of c</p><p>by offering a definition.3 Cloud com0267-3649/$ e see front matter 2011 Stephdoi:10.1016/j.clsr.2011.07.005structure by which</p><p>might appear and</p><p>t andwater vapour</p><p>oud, so the services</p><p>software can be as</p><p>loud computing is</p><p>ristics, rather than</p><p>uses the Internet to</p><p>teristics mentioned</p><p>Internet, including computers, mobile telephones, and</p><p>PDAs.</p><p>(c) The entity providing the computing resources will</p><p>probably include a provision to enable them to deter-</p><p>mine what happens to data: in time and space. This</p><p>means the provider may have the ability to send data to</p><p>any computer anywhere in the world at any time to any</p><p>entity in order to provide the service to the customer,</p><p>and the data can be moved around the world toThe word cloud, in cloud compu is a fairly accurate (b) The user can use anymechanism to obtain access to the1. The meaning of cloud computing storage, as required, without the need for humanStephen Mason , Esther GeorgeaBarrister, UKbCrown Prosecution Service, UK</p><p>Keywords:</p><p>Digital evidence</p><p>Cloud computing</p><p>PACE</p><p>Cybercrime</p><p>a b s t r a c t</p><p>The term cloud comp</p><p>not new, but the impl</p><p>the resolution of civil</p><p>significantly affected</p><p>in assessing the effec</p><p>criminal proceedings</p><p> 2011 Stephen Masen Mason and Esther Geng has begun to enter the lexicon of the legal world. The term is</p><p>tions for obtaining and retaining evidence in electronic format for</p><p>putes and the prosecution of alleged criminal activities might be</p><p>he future by cloud computing. This article is an exploratory essay</p><p>at cloud computing might have on evidence in digital format in</p><p>the jurisdiction of England &amp; Wales.</p><p>and Esther George. Published by Elsevier Ltd. All rights reserved.orge. Published by Elsevier Ltd. All rights reserved.</p></li><li><p>facilities to a specific community that has shared inter-</p><p>ests. The infrastructure might be managed by one or</p><p>more of the organizations; alternatively, it might be</p><p>owned and managed by a third party on behalf of an</p><p>single entity or any number of the entities jointly, and</p><p>the infrastructure may be physically located on the</p><p>premises of one of the organizations, or in another</p><p>geographic location.</p><p> A public cloud, where a provider owns the infrastruc-ture and makes it available to anybody that wishes to</p><p>pay for the service. Theway each provider deals with the</p><p> A hybrid cloud, where an infrastructure is formed of two</p><p>c om p u t e r l aw &amp; s e c u r i t y r e v i ew 2 7 ( 2 0 1 1 ) 5 2 4e5 2 8 525specify that data must remain in a specific country or in</p><p>a particular data centre.</p><p>(d) Providers generally claim to have the flexibility to deal</p><p>with high demand very quickly, with the concomitant</p><p>ability to continue to offer a service when demand falls.</p><p>(e) The service is measured by automatically controlling</p><p>and making the best use of any resources that are</p><p>available by distributing data that is appropriate to the</p><p>type of service, such as the storage of data, the pro-</p><p>cessing of data, the rate of data transfer, and the</p><p>number of users that are active at any one time.</p><p>The transient nature of cloud computing is also reflected in</p><p>the various business models used to sell the service. They</p><p>include:</p><p> Cloud software as a service (SaaS), where the customeruses applications provided by the seller. One example</p><p>that has been in use for some time is web-based e-mail.</p><p>In this respect, the customer uses the network, servers,</p><p>operating systems, storage facilities, and possibly indi-</p><p>vidual applications provided by the seller.</p><p> Cloud platform as a service (PaaS), by which the sellerprovides the infrastructure (network, servers, operating</p><p>systems, storage facilities) toenableacustomer touse their</p><p>own applications that they create by using any program-</p><p>ming languages and tools supported by the seller. The</p><p>seller will not necessarily offer its own or a single infra-</p><p>structure to provide the service. It may act as an aggre-</p><p>gator by which the seller uses a number of third parties to</p><p>provideseparateapplicationsandsets ofhardware, but the</p><p>buyer is given the impression that that the service they are</p><p>paying for is one consolidated infrastructure.</p><p> Cloud infrastructure as a service (IaaS) (sometimescalled a hosted service), where the seller provides the</p><p>infrastructure (network, servers, operating systems,</p><p>storage facilities) to enable the customer to use and run</p><p>software of their choice, which can include operating</p><p>systems and applications.</p><p>In each of the models outlined above, the underlying</p><p>infrastructure (operating systems, network, servers, operating</p><p>systems, storage facilities) is usually in the control of the</p><p>provider (although not alwayse the providermaywell reserve</p><p>the right to sub-contract any aspect of the service it provides</p><p>to any sub-contractor anywhere in the world), although the</p><p>seller may permit the customer a certain degree of control</p><p>over selected networking components, such as firewalls, for</p><p>instance. Each of these service models in turn is controlled</p><p>and run in a variety of ways, including:</p><p> A private cloud, where the infrastructure is operatedsolely by or on behalf of a single entity. The infrastruc-</p><p>ture might be owned and managed by the organization;</p><p>alternatively, it might be owned and managed by a third</p><p>party on behalf of the entity, and the infrastructure</p><p>might be physically located in the premises of the</p><p>organization, or in another geographic location. A community cloud, where the infrastructure, whichmight be shared by several organizations, providesormorecloud infrastructures that in turncanbeamixture</p><p>of private, community, or public infrastructures. Each</p><p>infrastructure retains its unique characteristics, and each</p><p>entityhasstandardorproprietary technology that enables</p><p>data and applications to be moved across the infrastruc-</p><p>tures to facilitate the balancing of the load during periods</p><p>of high take-up by customers.</p><p>For persons reading this article, it will quickly become</p><p>apparent that people intent on committing crimes might</p><p>begin to take advantage of the transitory nature of the services</p><p>offered by cloud computing, thus making it exceedingly</p><p>difficult for authorities investigating alleged offences to gather</p><p>evidence in digital format. In addition, an organization might</p><p>decide to use a form of cloud computing for perfectly legiti-</p><p>mate reasons, but find itself in difficulties if it is required to</p><p>produce evidence in digital format as the result of civil liti-</p><p>gation e or a party seeking to establish sufficient evidence of</p><p>wrong doing before taking legal action might find itself</p><p>disadvantaged in obtaining a suitable preliminary order to</p><p>search for possible evidence.4</p><p>The remainder of this article will discuss, at a high level of</p><p>generality, some of the possible problems that cloud</p><p>computing might bring to criminal investigations.</p><p>1.1. The copies of data</p><p>Data may be transferred between many computers across</p><p>a number of continents during the time a person or legal</p><p>4 In civil proceedings in the USA where data is stored in a cloudcomputing service, courts have ordered that such data be dis-closed if it is relevant to the proceedings, for which see thefollowing examples: National Economic Research Associates, Inc., vEvans 2006 WL 2440008 (e-mail communications exchangedbetween employee and his lawyer sent over a laptop computerowned by the business via the employees personal web-based e-mail account and protected by a password were the subject ofprivilege); Romano v Steelcase, Inc., 907N.Y.S.2d 650 (in an action forinjuries sustained as a result of a motoring accident, the defen-dant obtained an order to obtain relevant personal informationuploaded by the claimant on the social networking web sitesrise and fall in demand will affect how data is dealt with</p><p>under this model. In essence, the providers act in</p><p>a similar way as an electricity grid: they will trade</p><p>between each other to buy and sell capacity to process</p><p>data or store data, or both process and store data.Facebook and MySpace to counter the claim by the claimant thatshe had had suffered permanent injuries).</p></li><li><p>entity decides to use a cloud computing service. As a result,</p><p>there are at least three possibilities in relation to the data:</p><p>there might be multiple copies of the data on each storage</p><p>device it is stored upon as it is moved around the globe, or the</p><p>data might be securely erased as it is moved from one</p><p>computer infrastructure to another, leaving no trace; alter-</p><p>natively, residual copies of data might be created that a user</p><p>has an obligation to delete. Copies of data might not only be</p><p>stored in an unknown number of computers across the globe,</p><p>but there might be an unknown number of copies of the same</p><p>digital document in different iterations across different</p><p>jurisdictions. This could affect the identification of relevant</p><p>data for criminal proceedings.</p><p>2. Criminal investigations</p><p>Peace or a judge in writing, and the constable is required to</p><p>answer any questions put by the judge or justice on oath.11</p><p>The grounds upon which the application is made must be</p><p>clear, togetherwith the enactment underwhich thewarrant is</p><p>to be issued, the identity of the premises to be entered and</p><p>searched, and the articles or persons sought. Section 19(1)</p><p>enables a constable to seize items where they are lawfully on</p><p>the premises, and s 19(4)12 provides the constable with powers</p><p>in relation to data in digital format:</p><p>The constable may require any information which is</p><p>stored in any electronic form and is accessible from the</p><p>premises to be produced in a form in which it can be taken</p><p>away andwhich it is visible and legible or fromwhich it can</p><p>readily be produced in a visible and legible form if he has</p><p>reasonable grounds for believing</p><p>5 Contravention of the provisions contained in the Codes will</p><p>c om p u t e r l aw &amp; s e c u r i t y r e v i ew 2 7 ( 2 0 1 1 ) 5 2 4e5 2 8526not give rise to any criminal or civil liability in accordance with s67(10) of PACE, although a court may take account of any breachof the Codes in determining any proceedings to which the breachis relevant: s 67(11) PACE.6 Richard Stone, The Law of Entry, Search, and Seizure (4th edn,</p><p>2005), Oxford University Press, paras 3.03e3.13.7 R (on the application of Rottman) v Commissioner of Police for the</p><p>Metropolis [2002] UKHL 20, [2002] 2 All ER 865; Ghani v Jones [1970] 1QB 693, CA.8 Richard Stone, The Law of Entry, Search, and Seizure (4th edn,</p><p>2005), Oxford University Press, para 3.16.9 Section 17(1)(a).10 Section 15(1). The requirements should be applied stringently:R v Central Criminal Court, ex p AJD Holdings [1992] Crim LR 669, andif the exercise of power complies with the provisions, there is noscope for a submission based on Article 8 of the Human Rights2.1. Warrants</p><p>Provisions for warrants to enter and search premises are</p><p>covered by sections 15 and 16 of PACE, together with the</p><p>directions set out in Code B of the Codes of Practice. They</p><p>apply to all warrants issued under any enactment issued to</p><p>constables, although the provisions have been extended to</p><p>include others.8 A warrant to enter and inspect, or an arrest</p><p>warrant used to obtain entry, is not covered by these provi-</p><p>sions.9 An entry or search that is subject to the provisions of ss</p><p>15 and 16 and any entry or search that does not comply with</p><p>them is unlawful.10 An application is made to a Justice of theIn England &amp; Wales, the powers to investigate an alleged</p><p>offence are provided for in general powers at common law,</p><p>the Police and Evidence Act 1984 (as amended and supple-</p><p>mented) (PACE), the Codes of Practice made under the provi-</p><p>sions of s 66 of PACE,5 and a number of other statutes that will</p><p>be considered in brief below. There are very few powers of</p><p>entry without a warrant under the common law,6 although</p><p>the police have a power to enter and search premises</p><p>following an arrest.7 By comparison, PACE has, to a great</p><p>extent, acted to consolidate the police powers in England &amp;</p><p>Wales.Act: Kent Pharmaceuticals Ltd v Director of the Serious Fraud Office[2002] EWHC 3023.(a) that-</p><p>(i) it is evidence in relation to an offence which he is</p><p>investigating or any other offence; or</p><p>(ii) it has been obtained in the commission of an</p><p>offence; and</p><p>(b) that it is necessary to do so in order to prevent it being</p><p>concealed, lost, tampered with, or destroyed.</p><p>Stone observes that this might include data held anywhere</p><p>in the world,13 and the practical problems relating to this</p><p>becomes obvious for a constable, who may be exposed to</p><p>a civil action for trespass against items that were seized...</p></li></ul>


View more >