Martin McKeay Senior Security Advocate , Akamai

I’ve been seeing a disturbing and dangerous precedent being set by legal entities in the US and the UK in recent months.  Both countries are trying to extend the reach of their law enforcement organizations outside the bounds of their own countries.  In the case of the UK, it’s the Data Retention and Investigatory Powers (DRIP) bill that was passed earlier this year which explicitly grants law enforcement the right to subpoena businesses in other countries.  In the case of the US, it’s telling Microsoft it has to turn over data held on Irish servers and prosecutors in the Silk Road stating that Constitutional rights don’t apply when the server is overseas.  All of these are scary trends in Democratic societies and are especially dangerous in that they feed claims by other governments that hacking the US and UK is acceptable under the rule of law.

If you followed DRIP leading up to it’s passing, you’d have heard a lot of promises that there would be controls and limitations around the law protecting UK citizens.  The law was created in response to the European Union declaring that current EU data retention laws were invalid and counter to personal freedom.  British politicians feared that the data currently retained by businesses under the EU law would be lost and law enforcement had to preserve data on UK citizens or some sort of undefined catastrophic inability to prosecute criminals would happen.  But when the legislation was ramrodded through the legal process all of those promised controls got stripped out.  Some might take offense to the term ‘ramrodded’, but any serious legislation that is passed as an emergency measure in less than a week due to an unclear danger to the populace has to qualify if anything ever will.

DRIP is dangerous in that it explicitly counters the decision of the European Court of Justice to mandate extensive data retention.  What makes it even more dangerous internationally is that it explicitly grants UK law enforcement the ability to issue subpoenas against businesses and organizations that are outside the boundaries of the UK.  There are existing bilateral agreements with countries around the globe to handle requests for data from foreign agencies and DRIP circumvents these with a new process that is undefined.  It also opens the door for other countries to enact similar laws, requiring businesses within the confines of the UK to give up data without regard for treaties or national boundaries.

The case with Microsoft is similar, in that a US law enforcement agency issued a warrant for emails on a server in Ireland, a warrant Microsoft has so far refused to honor.  The legal logic by the judges involved so far has been that Microsoft is a company that is headquartered in the US and it can easily copy the information to US servers, where it would be fully required to comply with any warrant.  This logic, that an American company might be forced to divulge information on a foreign server, has been building since the creation of the Patriot Act, but the actions by Microsoft mark the first known instance of such an exercise.  It is likely that other organizations have already been compelled to release data from foreign servers, but due to the gag orders that surround Patriot Act compulsion, it is impossible for a company to have brought the case to court previously.

Microsoft’s case is similarly dangerous to the DRIP law in that it forces a company to disclose information that is held on servers outside the jurisdiction of the agency and country wanting it.  Just like the issues with DRIP, there are existing international agreements that should cover the handling of data on foreign servers.  During the current year, Russia has been showing a dangerous trend of requiring companies who serve Russian citizens to keep the data within the country.  If Russia were to continue in this direction and and follow the US and UK, it is completely conceivable that they could pass laws requiring companies to give up data on Russian citizens no matter where the data was held.

Related to both of these is the insistence by prosecutors on the behalf of the FBI that any hacking they may or may not have done in pursuit of Ross Ulbricht and the Silk Roads black market site was allowable because it was hosted on foreign servers and was therefore allowable.  We need to ignore the additional point that it had a reputation as a criminal haven, though having a reputation should not negate the legal protections from search and seizure.  Instead, we need to focus on the apparent assertion that simply because an American’s data is held on a server that is not on US soil, all rights given to the citizen are null and void.

As the Cloud becomes more ubiquitous in our daily lives, it becomes an almost certain fact that at some point the data of every citizen will be held on servers outside our native environs.  By it’s very nature, data in the Cloud is supposed to be data independent and while your data may start as hosted in a set of servers on the East Cost of the US, it might be moved to New Zealand or Nova Scotia if that’s where the provider deems the best use of their resources.  The logic that the FBI prosecutors use mean that the data would therefore become a valid target for law enforcement to then hack and that any Fourth Amendment rights to protection from unreasonable search and seizure would be suspended.

This last issue is perhaps the most concerning of the three, at least in the short term.  If American law enforcement officers can argue successfully that the mere presence on a foreign server makes data a viable target for hacking, it opens a number of doors for other governments to make the exact same assertion for their activities against American companies.  Hacking of Google, Facebook and any other repository of personal data becomes an easily justified action, as there are surely criminals using these systems and they’re a valid target for hacking.  If this excuse works for the United States, there’s no reason to believe it won’t work just as well for other countries.

It’s a tumultuous time as we figure out the legal structures and rules that need to be applied to the Internet, the Cloud and the privacy of individuals.  As is the nature of law enforcement and legislators, they’ll be working to grab as much power to gather data as possible.  It will only be over time as we push back and try to regain individual rights that codify what is legal and allowable for governments to do.  But creating precedents that state it’s okay for my government to access data that’s housed on foreign soil becomes dangerous when other governments view our soil as foreign.  One maxim of the legal system is that you should never give yourself a power you don’t want your worst enemy to exploit against you.

 

http://www.infosecurity-magazine.com/blogs/setting-a-dangerous-precedent-its/