Cloud computing and Legal challenges

By King’ori Mathenge.

The concept of cloud computing has been around for quite a while now. Basically, it refers to access of what would be ‘local computer resources’ e.g. storage this time not actually on your local machine but through a provider over the internet. With corporations e.g. Microsoft offering Azure as its cloud computing platform (and for first time users, access to a free Azure account for a limited amount of time), this is among the platforms I believe users can explore the many possibilities that cloud computing offers.

As much as such services may be welcome for many users and organizations, it may not be as rosy for digital forensic personnel. The lack of localization of many services and resources on PCs that have been relied on for traditional forensic techniques may not apply any more or to a large extent.

Among the downsides are legal challenges may arise from quite a number of areas that will be dealt with in brief.

Jurisdictional issues are definitely going to be a challenge. Referring to Microsoft Azure, should a person of interest under investigation use the service, there aren’t any data centers in Kenya or Africa. Should any orders be sought from our courts, what is to be done next? Who is to be served with the said court order and can a law enforcement agency in one country issue a binding court directive to a body in another jurisdiction? Kenya has a Mutual Legal Assistance Act that establishes a central authority under the office of the Attorney general that acts as the point of contact for such jurisdictional issues.The Computer and CyberCrime Bill currently under debate in the National Assembly also provides for such international cooperation under Part IV.  Even if we are to assume that all ran seamlessly, the added layer of bureaucracy, at the very least makes the whole process less than ideal, Kafkaesque (whether the definition suffices is a discussion for another day).

Remember the documents that appear before us on our screens every time we begin using a new service that we simply ignore? Well, Service Level Agreements (SLAs), Terms of Service (ToS) may have to be reviewed by every investigating officer and their legal teams. Some users/organizations may have negotiated for more control of their data upon request in such agreements and this would go a long way in easing access. Others may stipulate to have their data destroyed after a specified amount of time which may limit the availability of information after some time. Moreover, the providers through such agreements may have more say over metadata than the user. This may prove to be a legal hurdle even when users are being cooperative & ‘the data about data’ is what is most pertinent at the time.

What kind of service is being provided? Cloud service providers can provide any one of these three services:

  • Infrastructure as a service(IaaS)
  • Software as a service(SaaS)
  • Platform as a service(PaaS)

Each of these has their challenges and for some users, the information of interest may still be held ‘locally’. Determining what kind of service is being offered could also determine who is to be served with court orders e.g. for IaaS providers, one could serve the provider directly without necessarily involving the ‘owner’ of the data.

There’s definitely much more to explore and discuss in depth especially regarding what we’ve been able to achieve & challenges both legal and technical. Do look out for more during our upcoming conference at the KICC in July. Visit http://cyberforensec.co.ke/ for more on the same.

References:

  1. Walden, Ian, Accessing Data in the Cloud: The Long Arm of the Law Enforcement Agent (November 14, 2011). Queen Mary School of Law Legal Studies Research Paper No. 74/2011. Available at SSRN: https://ssrn.com/abstract=1781067or http://dx.doi.org/10.2139/ssrn.1781067
  2. Wilson, D. (2016, June 14). Legal Issues with Cloud Forensics. Retrieved from https://www.forensicmag.com/article/2015/05/legal-issues-cloud-forensics