Comments at the COE’s Hearing on Transborder Access to Data

Aug 12, 2013 9:46am

Periodically the APWG gets asked its opinion on various policy matters. We hope this is not because they have received no comments but rather because they know the APWG has members and activities world-wide and they value our opinions.

Such an opportunity arose in June, 2013 with the Council of Europe. The Secretary of the Cybercrime Convention Committee (T-CY) invited us to a public hearing on transborder access to data organised by the T-CY on 3 June 2013, in Strasbourg, France. The goal of the public hearing was to give private sector entities and civil society organisations the opportunity to express their views:

  • on current practices and experiences regarding transborder access to data and
  • on a possible Additional Protocol to the Budapest Convention on Cybercrime.

There is a bunch of background material and a nice problem explanation at the T-CY Public Hearing webpage.

 

The Overall Concern

In short, the concern was raised that the data used in much criminal activity is transborder in nature. I.e., the stolen credential database is in a different jurisdiction than where the criminal is, and there are no good accepted practices on how one legally grabs such data from "the cloud" or when the actual location of the data is unknown or is mobile.

 

Our Commentary

Our commentary is here; it is about ten pages in length.

We had numerous goals in summiting comments and having subsequent discussions.

  • First, we have heard from our members that the problem is real and. not being a vendor, we could present the concerns in a non-political way.
  • Secondly, I hate to have a good educational opportunity go to waste. Many times the governmental, ministerial, or judicial representatives have little or no operational experience; we can use sessions like these to explain how things work in practice to help the officials better understand our problems and to reduce future misunderstandings.
  • Third, many officials still think of data as a physical attribute, e.g., the data is *there* (pointing to a server). In reality, data is *somewhere*, as in "on a server I control". And moves around if I need to. This seemed a good opportunity to raise this topic again.

 

On the physicality of data goal, there have been situations where law enforcement has gotten the right paperwork to seize data in country X only to show up in country X and find out the data has moved to country Z. Such movement requires the paperwork regime to restart for country Z. :(  Even non-criminal activities may move data around for cost or operational reasons. I have been known to move data around as one of our servers gets ill - my customers need the access and don't really care where the data is as long as they can get to it. No criminality involved (I think). But how do we make such situations workable for both law enforcement and private entities?

One suggestion was to use less of the *where* and more of the *who*. Most of the accepted privacy schemes/regimes require a data owner or controller. That identified party is expected to know where their data is and controls access to it. Instead of worrying where the data is maybe we should make the acceptable practice one where the legal service is to the data controller to deliver the data, irrespective of where it is. Now, the criminal world doesn’t exactly have data protection officers, so there needs to be some escalation to the service providers where the provider could present the data irrespective of which cloud it was hiding in as long as it was under some definition of their ‘control’.

As the criminals always find a new - and sometime novel – way around the laws and practices there needs to be additional thought on whether this idea has any merit and to understand all the possible scenarios that could arise.

Maybe it’s a good idea; maybe not. But to figure out an acceptable (workable) solution to data movement we should probably think a little less physically and more as a control issue.