c om p u t e r l aw & s e c u r i t y r e v i ew 2 7 ( 2 0 1 1 ) 5 2 4e5 2 8
ava i lab le a t www.sc iencedi rec t .com
www.compsecon l ine .com/publ i ca t ions /prodc law.h tm
Digital evidence and ‘cloud’ computing
Stephen Mason a, Esther George b,1
aBarrister, UKbCrown Prosecution Service, UK
Keywords:
Digital evidence
Cloud computing
PACE
Cybercrime
1 The authors thank Burkhard Schafer, Prdirector of the Joseph Bell Centre for Forencomments on this paper. The views express
2 A paper entitled ‘Introduction to cloud coduction, available at http://www.sun.com/feafor Critical Areas of Focus in Cloud Computing V
3 One technical definition of cloud computiTechnology, Information Technology Labora‘Cloud computing is a model for enabling con(e.g., networks, servers, storage, applicationeffort or service provider interaction. This cservice models, and four deployment modelVersion 15 (10-7-09), available at http://csrc.0267-3649/$ e see front matter ª 2011 Stephdoi:10.1016/j.clsr.2011.07.005
a b s t r a c t
The term ‘cloud computing’ has begun to enter the lexicon of the legal world. The term is
not new, but the implications for obtaining and retaining evidence in electronic format for
the resolution of civil disputes and the prosecution of alleged criminal activities might be
significantly affected in the future by ‘cloud’ computing. This article is an exploratory essay
in assessing the effect that ‘cloud’ computing might have on evidence in digital format in
criminal proceedings in the jurisdiction of England & Wales.
ª 2011 Stephen Mason and Esther George. Published by Elsevier Ltd. All rights reserved.
1. The meaning of ‘cloud’ computing storage, as required, without the need for human
The word ‘cloud’, in cloud computing, is a fairly accurate
description of the ephemeral nature of the structure by which
the services are offered.2 Just as a cloud might appear and
disappear rapidly, and the forces of air, heat andwater vapour
will change the internal dynamic of the cloud, so the services
offered over the Internet by providers of software can be as
equally as transitory. In this article, cloud computing is
described by reference to a set of characteristics, rather than
by offering a definition.3 Cloud computing uses the Internet to
provide a service. The five essential characteristics mentioned
in the definition provided by the National Institute of Stan-
dards and Technology (NIST) comprise:
(a) An ability to use the facilities of a computer or num-
ber of computers, such as server time and network
ofessor of Computationasic Statistic and Legal Reed and conclusions reachmputing architecture’ (Jutured-articles/CloudCom2.1 (December 2009), avang has been offered by Petory:venient, on-demand nets, and services) that canloud model promotes avs.’nist.gov/groups/SNS/clouen Mason and Esther Ge
interaction.
(b) The user can use anymechanism to obtain access to the
Internet, including computers, mobile telephones, and
PDAs.
(c) The entity providing the computing resources will
probably include a provision to enable them to deter-
mine what happens to data: in time and space. This
means the provider may have the ability to send data to
any computer anywhere in the world at any time to any
entity in order to provide the service to the customer,
and the data can be moved around the world to
different providers at any time in order to satisfy the
rise and fall in demand, or to enable the provider to
increase themargin of profit. The customer tends not to
have any control over the exact location of the
computing resources, although they might be able to
l Legal Theory, School of Law, University of Edinburgh, and Co-asoning and Alexander Seger of the Council of Europe for theired remain the sole responsibility of the authors.ne 2009) by Sun Microsystems provides a useful technical intro-puting.pdf; also useful is Cloud Security Alliance, Security Guidanceilable at https://cloudsecurityalliance.org/guidance/.ter Mell and Tim Grance of the National Institute of Standards and
work access to a shared pool of configurable computing resourcesbe rapidly provisioned and released with minimal managementailability and is composed of five essential characteristics, three
d-computing/index.html.orge. Published by Elsevier Ltd. All rights reserved.
4 In civil proceedings in the USA where data is stored in a cloudcomputing service, courts have ordered that such data be dis-closed if it is relevant to the proceedings, for which see thefollowing examples: National Economic Research Associates, Inc., vEvans 2006 WL 2440008 (e-mail communications exchangedbetween employee and his lawyer sent over a laptop computerowned by the business via the employee’s personal web-based e-mail account and protected by a password were the subject ofprivilege); Romano v Steelcase, Inc., 907N.Y.S.2d 650 (in an action forinjuries sustained as a result of a motoring accident, the defen-dant obtained an order to obtain relevant personal informationuploaded by the claimant on the social networking web sitesFacebook and MySpace to counter the claim by the claimant thatshe had had suffered permanent injuries).
c om p u t e r l aw & s e c u r i t y r e v i ew 2 7 ( 2 0 1 1 ) 5 2 4e5 2 8 525
specify that data must remain in a specific country or in
a particular data centre.
(d) Providers generally claim to have the flexibility to deal
with high demand very quickly, with the concomitant
ability to continue to offer a service when demand falls.
(e) The service is measured by automatically controlling
and making the best use of any resources that are
available by distributing data that is appropriate to the
type of service, such as the storage of data, the pro-
cessing of data, the rate of data transfer, and the
number of users that are active at any one time.
The transient nature of cloud computing is also reflected in
the various business models used to sell the service. They
include:
� Cloud software as a service (SaaS), where the customer
uses applications provided by the seller. One example
that has been in use for some time is web-based e-mail.
In this respect, the customer uses the network, servers,
operating systems, storage facilities, and possibly indi-
vidual applications provided by the seller.
� Cloud platform as a service (PaaS), by which the seller
provides the infrastructure (network, servers, operating
systems, storage facilities) toenableacustomer touse their
own applications that they create by using any program-
ming languages and tools supported by the seller. The
seller will not necessarily offer its own or a single infra-
structure to provide the service. It may act as an ‘aggre-
gator’ by which the seller uses a number of third parties to
provideseparateapplicationsandsets ofhardware, but the
buyer is given the impression that that the service they are
paying for is one consolidated infrastructure.
� Cloud infrastructure as a service (IaaS) (sometimes
called a ‘hosted’ service), where the seller provides the
infrastructure (network, servers, operating systems,
storage facilities) to enable the customer to use and run
software of their choice, which can include operating
systems and applications.
In each of the models outlined above, the underlying
infrastructure (operating systems, network, servers, operating
systems, storage facilities) is usually in the control of the
provider (although not alwayse the providermaywell reserve
the right to sub-contract any aspect of the service it provides
to any sub-contractor anywhere in the world), although the
seller may permit the customer a certain degree of control
over selected networking components, such as firewalls, for
instance. Each of these service models in turn is controlled
and run in a variety of ways, including:
� A ‘private cloud’, where the infrastructure is operated
solely by or on behalf of a single entity. The infrastruc-
ture might be owned and managed by the organization;
alternatively, it might be owned and managed by a third
party on behalf of the entity, and the infrastructure
might be physically located in the premises of the
organization, or in another geographic location.
� A ‘community cloud’, where the infrastructure, which
might be shared by several organizations, provides
facilities to a specific community that has shared inter-
ests. The infrastructure might be managed by one or
more of the organizations; alternatively, it might be
owned and managed by a third party on behalf of an
single entity or any number of the entities jointly, and
the infrastructure may be physically located on the
premises of one of the organizations, or in another
geographic location.
� A ‘public cloud’, where a provider owns the infrastruc-
ture and makes it available to anybody that wishes to
pay for the service. Theway each provider deals with the
rise and fall in demand will affect how data is dealt with
under this model. In essence, the providers act in
a similar way as an electricity grid: they will trade
between each other to buy and sell capacity to process
data or store data, or both process and store data.
� A ‘hybrid cloud’, where an infrastructure is formed of two
ormorecloud infrastructures that in turncanbeamixture
of private, community, or public infrastructures. Each
infrastructure retains its unique characteristics, and each
entityhasstandardorproprietary technology that enables
data and applications to be moved across the infrastruc-
tures to facilitate the balancing of the load during periods
of high take-up by customers.
For persons reading this article, it will quickly become
apparent that people intent on committing crimes might
begin to take advantage of the transitory nature of the services
offered by cloud computing, thus making it exceedingly
difficult for authorities investigating alleged offences to gather
evidence in digital format. In addition, an organization might
decide to use a form of cloud computing for perfectly legiti-
mate reasons, but find itself in difficulties if it is required to
produce evidence in digital format as the result of civil liti-
gation e or a party seeking to establish sufficient evidence of
wrong doing before taking legal action might find itself
disadvantaged in obtaining a suitable preliminary order to
search for possible evidence.4
The remainder of this article will discuss, at a high level of
generality, some of the possible problems that cloud
computing might bring to criminal investigations.
1.1. The copies of data
Data may be transferred between many computers across
a number of continents during the time a person or legal
c om p u t e r l aw & s e c u r i t y r e v i ew 2 7 ( 2 0 1 1 ) 5 2 4e5 2 8526
entity decides to use a cloud computing service. As a result,
there are at least three possibilities in relation to the data:
there might be multiple copies of the data on each storage
device it is stored upon as it is moved around the globe, or the
data might be securely erased as it is moved from one
computer infrastructure to another, leaving no trace; alter-
natively, residual copies of data might be created that a user
has an obligation to delete. Copies of data might not only be
stored in an unknown number of computers across the globe,
but there might be an unknown number of copies of the same
digital document in different iterations across different
jurisdictions. This could affect the identification of relevant
data for criminal proceedings.
2. Criminal investigations
In England & Wales, the powers to investigate an alleged
offence are provided for in general powers at common law,
the Police and Evidence Act 1984 (as amended and supple-
mented) (PACE), the Codes of Practice made under the provi-
sions of s 66 of PACE,5 and a number of other statutes that will
be considered in brief below. There are very few powers of
entry without a warrant under the common law,6 although
the police have a power to enter and search premises
following an arrest.7 By comparison, PACE has, to a great
extent, acted to consolidate the police powers in England &
Wales.
2.1. Warrants
Provisions for warrants to enter and search premises are
covered by sections 15 and 16 of PACE, together with the
directions set out in Code B of the Codes of Practice. They
apply to all warrants issued under any enactment issued to
constables, although the provisions have been extended to
include others.8 A warrant to enter and inspect, or an arrest
warrant used to obtain entry, is not covered by these provi-
sions.9 An entry or search that is subject to the provisions of ss
15 and 16 and any entry or search that does not comply with
them is unlawful.10 An application is made to a Justice of the
5 Contravention of the provisions contained in the Codes willnot give rise to any criminal or civil liability in accordance with s67(10) of PACE, although a court may take account of any breachof the Codes in determining any proceedings to which the breachis relevant: s 67(11) PACE.
6 Richard Stone, The Law of Entry, Search, and Seizure (4th edn,2005), Oxford University Press, paras 3.03e3.13.
7 R (on the application of Rottman) v Commissioner of Police for theMetropolis [2002] UKHL 20, [2002] 2 All ER 865; Ghani v Jones [1970] 1QB 693, CA.
8 Richard Stone, The Law of Entry, Search, and Seizure (4th edn,2005), Oxford University Press, para 3.16.
9 Section 17(1)(a).10 Section 15(1). The requirements should be applied stringently:R v Central Criminal Court, ex p AJD Holdings [1992] Crim LR 669, andif the exercise of power complies with the provisions, there is noscope for a submission based on Article 8 of the Human RightsAct: Kent Pharmaceuticals Ltd v Director of the Serious Fraud Office[2002] EWHC 3023.
Peace or a judge in writing, and the constable is required to
answer any questions put by the judge or justice on oath.11
The grounds upon which the application is made must be
clear, togetherwith the enactment underwhich thewarrant is
to be issued, the identity of the premises to be entered and
searched, and the articles or persons sought. Section 19(1)
enables a constable to seize items where they are lawfully on
the premises, and s 19(4)12 provides the constable with powers
in relation to data in digital format:
‘The constable may require any information which is
stored in any electronic form and is accessible from the
premises to be produced in a form in which it can be taken
away andwhich it is visible and legible or fromwhich it can
readily be produced in a visible and legible form if he has
reasonable grounds for believing
(a) that-
(i) it is evidence in relation to an offence which he is
investigating or any other offence; or
(ii) it has been obtained in the commission of an
offence; and
(b) that it is necessary to do so in order to prevent it being
concealed, lost, tampered with, or destroyed.’
Stone observes that this might include data held anywhere
in the world,13 and the practical problems relating to this
becomes obvious for a constable, who may be exposed to
a civil action for trespass against items that were seized and
later shown to be exempt from seizure.14 This particular
problem has now been addressed in ss 50e52 of the Criminal
Justice and Police Act 2001 (supplemented by paragraphs
7.7e7.13 to Code B of the Codes of Conduct),15 which in turn
implements, either expressly or by implication, the provisions
of articles 19(2) and 22(1)(d) of the Convention on Cybercrime
(Budapest, 23.XI.2001).16 Section 50(2) deals with property
found on a premises, and provides that when a person is
lawfully on a premises, and finds property that they would be
entitled to seize, but the item also includes something that
there is no power to seize, and it is not practicable for the two
items to be separated, the person is given the power to seize
11 Section 15(4).12 As amended by the Criminal Justice and Police Act 2001,Schedule 2, para 13(2).13 Richard Stone, The Law of Entry, Search, and Seizure, (4th edn,2005), Oxford University Press, para 3.60.14 R v Chesterfield Justices Ex parte Bramley [2000] QB 576, [2000] 2WLR 409, [2000] All ER 411, [2000] 1 Cr App R 486, [2000] Crim LR385, [1999] 45L S Gaz R 34, 143 S.J. LB 282, DC.15 Explanatory Notes to the Act, paras 156e164.16 Other relevant legislation in the EU includes article 19(1)(a) ofCouncil Framework Decision 2005/222/JHA of 24 February 2005 onattacks against information systems OJ L69, 16.3.2005, p. 67e71,which provides as follows: ‘Each Member State shall establish itsjurisdiction with regard to the offences referred to in Articles 2, 3,4 and 5 where the offence has been committed: (a) in whole or inpart within its territory;’ and article 9 of Council FrameworkDecision 2001/413/JAI of 28 May 2001 on combating fraud andcounterfeiting of non-cash means of payment, OJ L149 of 02.06.2001, which uses identical language to article 19(1)(a).
c om p u t e r l aw & s e c u r i t y r e v i ew 2 7 ( 2 0 1 1 ) 5 2 4e5 2 8 527
the property. The factors to be taken into account whether the
item can be seized is set out in s 50(3).
Section 51 also provides for similar, additional, powers of
seizure from a person where existing powers already exist to
carry out a search of the person. Paragraph 165 of the
Explanatory Notes explain the need for this additional
provision:
‘This section gives additional powers of seizure from the
person where there is an existing power to search that
person. It is almost identical to section 50. It is necessary
because, for example, individuals might have on them
handheld computers or computer disks which might
contain items of electronic data which the police would
wish to seize. Alternatively, they could be carrying a suit-
case containing a bulk of correspondence which could not
be examined in the street.’
Taken together, these provisions undoubtedly cover the
use of imaging technology to obtain copies of data held on
a computer, as accepted in the case of The Queen on the appli-
cation of Paul Da Costa & Co (a firm) v Thames Magistrates Court17
where images of hard drives were taken by Customs and
Excise during a search.18 The comments by Kennedy LJ, in
response to the complaint that a great deal of information that
was not covered by the order was included in the copies of the
hard disks, are relevant to the problems that will inevitably be
caused in such cases:
‘Imaging was much less intrusive than seizing the hard
disks. It was apparently agreed to by a partner, who I accept
did not have authority to waive professional privilege on
behalf of clients. If the result was that the Customs and
Excise obtained amongst other things information in
relation to clients of the accountancy practice that is no
more objectionable than if they had for good reason taken
possession of a leather bound ledger much of which con-
tained information of a similar kind.’19
2.2. Evidence from other jurisdictions
The obtaining of evidence from other jurisdictions, as well as
the provision of evidence for other jurisdictions, is governed
by the provisions of ss 7e9 of the Crime (International Coop-
eration) Act 2003. A judicial authority, prosecuting authority
or a person charged may make a request for evidence for use
in the investigation or proceedings.20 Section 51(1) defines
evidence, to include ‘information in any form and articles, and
17 [2002] EWHC 40 (Admin).18 In respect of Commissioners of the Inland Revenue, see R (othe application of H) v Commissioners of Inland Revenue [2002] EWH2164 (Admin).19 [2002] EWHC 40 (Admin) at 20.20 ‘If an application is to be made for a warrant it is the duty othe applicant to give full assistance to the district judge, and thaincludes drawing to his or her attention anything that militateagainst the issue of the warrant’ per Kennedy LJ at 24(3), R (EnergFinancing Team Ltd) v Bow Street Magistrates’ Court [2006] 1 WL1316, [2005] EWHC 1626 (Admin).
nC
ftsyR
giving evidence includes answering a question or producing
any information or article,’ which undoubtedly includes
evidence in digital format. In respect of obtaining evidence
from members of the European Union,21 the European Arrest
Warrant has been adopted by the United Kingdom under the
provisions of the Extradition Act 2003.22 In 2003, the Home
Office addressed a Note, ‘The UK’s operation of the European
Arrest Warrant’ to the Working Party on Cooperation in
criminal matters,23 in which the government set out to
provide a guide for other Member States of the European
Union that explained how the UK has given effect to the
Council Framework Decision of 13 June 2002 on the European
arrest warrant and the surrender procedure between Member
States.
2.3. Seizing evidence
Where an investigator attends a premise and finds that the
suspect’s computer is turned on, and is on-line and con-
nected to a cloud storage server, the server can be taken to be
part of the computer equipment. The position in such
a situation would be the same wherever in the world the
cloud storage server is located; providing the investigator is
on the premises under a lawful authority, this information
can be obtained if it is evidence of or connected to an offence.
In such circumstances, the investigator is merely observing
the fact that the server continues to do what it was caused to
do by the accused e the position remains so, providing the
investigator does not cause the server to do anything else;
continuity remains from the point in time the accused con-
nected to the server to the point in time that the investigator
seizes the computer e the investigator, by refraining from
giving any instructions to the server, has not altered its
original function. All the investigator intends to do is store
the information that is being sent from the server to the
computer.
Where the investigator decides that the information being
exchanged between the server and computer is evidence of
illegal activity, the investigator has the option to save the data
either:
(a) On to the suspects computer, although this could be
problematic from the point of view of demonstrating
the chain of evidence and abiding by the Association of
Chief Police Officers (ACPO) ‘Good Practice Guide for
Computer-Based Electronic Evidence’ (v4).24
(b) Alternatively, the investigator could obtain access
remotely to the server to enable data to be downloaded
21 Valsamis Mitsilegas EU Criminal Law (2009); Andre Klip Euro-pean Criminal Law (2009); Vernimmen-Van Tiggelen Gisele, SuranoLaura and Anne Weyembergh, eds, The future of mutual recognitionin criminal matters in the European Union (2009).22 Judge Rob Blekxtoon, editor in chief, Handbook on the EuropeanArrest Warrant, (T.M.C. Asser Press, 2005).23 From the United Kingdom delegation to the Working Party onCooperation in criminal matters (Experts on the European arrestwarrant) dated 2 December 2003 (15585/03 GS/hm 1).24 For a discussion of these guidelines in the context of digitalevidence, see Stephen Mason, general editor, Electronic Evidence,(2nd edn, LexisNexis Butterworths, 2010), 3.11 e 3.16; 10.259.
c om p u t e r l aw & s e c u r i t y r e v i ew 2 7 ( 2 0 1 1 ) 5 2 4e5 2 8528
on to a separate computer, while the suspects computer
remains on-line to the server. If this method is adopted,
it is imperative that the server should not be initiated
to do anything it was not already in the process of
doing.
Good practice suggests that before doing anything, the
investigator should take suitable action to ensure the infor-
mation displayed on the computer screen is recorded, perhaps
by video, as evidence that the offence is taking place. In
addition, any actions taken with respect to the computer
should also be recorded, and where a separate computer is
used to download the data, all the actions required to under-
take this exercise should also be recorded. Recording all the
actions undertaken by the investigator at the scene of the
seizure, will reduce the risk that the defence may argue that
the investigator fundamentally changed the evidence during
the collection phase of the exercise.
There may be circumstances where the computer is not
turned on at the premises, and the suspect voluntarily
informs the investigator that his data is kept on-line with
some form of cloud service. If the cloud is located in another
jurisdiction, it will be necessary to obtain evidence via
a Mutual Legal Assistance request to the nation concerned.
This conforms to article 32 of the Convention on Cybercrime.
In seeking such assistance, it may be necessary to more fully
understand the process of the cloud application; identify the
provider (whether a legal entity or individual trading in their
own name or under a trading name), where they are
geographically located and their address and other contact
details. Joseph J. Schwerha IV wrote a white paper for the
Council of Europe, entitled “Law Enforcement Challenges in
Transborder Acquisition of Electronic Evidence from “Cloud
Computing Providers”. In it, he considered transborder
searches, cloud computing and article 32 of the Convention on
Cybercrime in some depth and concluded (footnotes omitted)
on page 1825:
“The Convention may not adequately address investiga-
tions of a very urgent nature. Under the Convention, an
investigator may only perform a transborder search if the
information being sought is generally available, or if the
investigator has the appropriate consent. Getting consent
in extremely time sensitive situations may not be tenable.
25 This paper was written for the Global Project on Cybercrime,http://www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/cy-activity-Interface-2010/Presentations/default_en.asp.
This difficulty is only exacerbated in scenarios where the
evidence being sought is from a Cloud Computing Provider
located in a foreign country which may not be easily or
quickly accessed through traditional telecommunication
methods”.
Alexander Seger, Head of the Economic Crime Division of
the Council of Europe, has long been an authority on cloud
computing with a particular emphasis on privacy and issues
that law enforcement face in obtaining access to data stored
in the cloud. Alexander agrees that law enforcement “needs to
have access to traffic data, and subscriber information in
order to use in the prosecution of criminals and bring them to
court, and that it is imperative that law enforcement are given
the tools to protect us from cybercrime.”26
It is anticipated that increasing volumes of data will be
stored in the cloud rather than on an individual computer,
especially because criminals clearly retain the services of
highly skilled people to help them commit cybercrimes. There
is no doubt that the admission of evidence obtained from the
cloudwill be of even greater significance in the future. It might
be necessary to consider legislation to ensure that that such
evidence isadmissible, should therebeanysignificantproblem
in introducing such evidence in to criminal proceedings. In the
UK, the next best evidence rule will come into even more
prominence, and courts will be encouraged to admit such
evidence, because the original evidence will reside in the
cloud.27
Stephen Mason ([email protected]) is a barrister.
He is the author of Electronic Signatures in Law (3rd edition, Cam-
bridge University Press, 2012) and general editor of Electronic
Evidence (2nd edition, LexisNexis Butterworths, 2010) and Interna-
tional Electronic Evidence (British Institute of International and
Comparative Law, 2008).
Esther George ([email protected]) LLB (Hons), LLM,
MA is a Senior Policy Advisor and Crown Advocate with the
Crown Prosecution Service at Strategy and Policy Directorate. Esther
initiated the Global Prosecutors E-Crime Network, which enables
prosecutors around the world to learn and benefit from sharing
information, experiences, and strategies with each other, resulting
in enhanced international cooperation.
26 Communication with Mr Seger.27 For a discussion on the meaning of ‘original’ in the context ofdigital evidence, see Stephen Mason, general editor, ElectronicEvidence, (2nd edn, LexisNexis Butterworths, 2010), 4.09.