Storm clouds ahead? When information in the cloud is evidence - Disclosure & Electronic Discovery & Privilege

Introduction

In Part 1 of this article , we considered the issues surrounding data privacy in the cloud. In Part 2, we now turn to consider the issues which arise when using data stored in the cloud as evidence in support of investigations or litigation.

Most investigations and litigation discovery processes involve the review of electronic information held by organisations, such as emails, documents and internet histories. Organisations are often required to provide specific information to third parties, such as law enfor cement authorities, within a short timeframe.

Whilst cloud infrastructure may improve remote access to an organisation' s data, in some cases from anywhere in the world, it also reduces an organisation's direct control over the data. This means that when faced with the need to quickly produce or disclose information, organisations who store data in the cloud face some unique challenges.

In this article, Ronald Holtshausen from our Perth office considers the key issues surrounding the use of data in the cloud for litigation and law enforcement, including:

acquiring data from the cloud
the risk of modification of data
data sovereignty
data possession and control.

Data acquisition from the cloud

Imagine that your organisation has just found out that it faces investigation by a regulator - it may need to provide the regulator with a large volume of data within a short time frame. Complying with this deadline will be hard. Even if there is no such specific request, the organisation needs to understand what data it has and perhaps start its own review of that data. But then you remember - your organisation stores some, or all of its financial, operational and email data in the cloud. What can be easier , you think.
Doesn't storing company information in the cloud make data easy to access?

Unfortunately, that is not necessarily the case when it comes to acquiring and preserving a copy of an organisation's data from the cloud for investigation and litigation purposes - this can prove to be slower, and more complex than originally perceived. It can also be costly , particularly if contractual arrangements are not in place for such an event.

Conventional computer forensic acquisition procedures look to acquire and preserve data from a storage device which the investigator can physically access. The investigator can then take the appropriate precautions to isolate the data from further access and ensure it is not altered or modified during the preservation, whilst also ensuring adherence to any specifications of the search or disclosure orders.

However, in many cases, data contained in the cloud will be stored in remote infrastructure that is shared by multiple organisations. This may limit an investigator's ability to physically access the data storage facilities and isolate it from further potential modifications. The investigator may then need to employ a different approach in order to acquire the data remotely, potentially being hampered by issues such as slow connection speeds to the cloud provider.

Risk of modification of data

Many investigators rely upon metadata (such as author information, file creation, modification and access times) as part of their work, for example, to piece together a sequence of events by preparing a chronology of a document's creation and modification.

Unfortunately, whilst a cloud facility may increase an organisation's ability to access its data, it also increases the risk of potential data modification (accidental or deliberate) by employees and the cloud provider .

Simple maintenance activities performed by a cloud provider can modify metadata associated with data. This includes activities such as backups, imaging, data relocation and data replication. This means that data which could prove crucial in investigating a user's activity may be modified or lost.

When accessing data in the cloud (known as a 'remote acquisition') for litigation purposes, it is crucial that appropriate precautions are taken to preserve data artefacts that may be modified by simply downloading the data from the cloud. We recommend that all remote acquisitions are done by experienced professionals.

Example

Mr Smith resigns from his software development job at Jones & Co and is immediately walked out of the building by security. Mr Smith sets up his own business with the intent of developing and selling similar software to that designed and owned his former employer. Jones & Co becomes concerned that Mr Smith has stolen its intellectual property.

Jones & Co investigates whether Mr Smith accessed and copied its proprietary software designs and source code before his resignation. They therefore want to establish the date at which the software or source code was last accessed, and by whom.

Jones & Co stores its software specifications and source code in the cloud, so it asks its cloud provider to check the metadata of the relevant files. Unfortunately, the cloud provider does not make a forensically sound copy of the files, and so accidentally 'accesses' the files during this check. At approximately the same time Jones & Co's data gets replicated from the Singapore data centre to the cloud provider's German data centre. The data's replication to the German data centre has now resulted in further changes to potentially crucial metadata. This means that the previous date of access and modification was updated, and there is no longer any evidence linking Mr Smith to the file.

Jones & Co are not able to provide any metadata to establish the theft of their intellectual property , and Mr Smith continued to run his own business as a competitor to Jones & Co.

Data sovereignty and international concerns

Data sovereignty is the concept that information which has been converted and stored in a digital form is subject to the laws of the country in which it is located.

Data sovereignty is a key issue for organisations that use the cloud for data storage. Cloud providers often store data in offshore storage facilities to reduce costs. As a result, an organisation's data could physically be held in storage locations anywhere in the world and, potentially , in a number of different jurisdictions.

The long arm of overseas legislation

Because data may be stored outside Australia, it is important that organisations understand the privacy laws of the country where the data is located, as these may apply in contractual agreements with cloud providers.

Organisations may even find their data susceptible to foreign go vernment access in relation to investigations or litigation overseas.

For example, through the use of the American Patriot Act, brought in as a response to the events of 11 September 2001, the US Government and its agencies have powers to access Australian data held by US owned cloud providers and their subsidiaries, wherever they may be located.

This includes both:

Australian data held in Australia by a US owned cloud provider
Australian data located in the US by an internationally owned cloud provider.

Susceptibility to foreign government access does not stop with the US. A study carried out by Hogan Lovells, an international law firm, found similar data access laws in other countries ¹ . The governments of the United Kingdom, Germany, France, Japan and Canada have similar laws in place allowing them to obtain personal data stored in the cloud during the course of a government investigation.

Data Sovereignty and Australian Privacy Laws

When storing data in the cloud, an organisation should be aware that the legal obligations over the protection of the data still reside with them under the Australian Privacy Principles ² (APP 5 and APP 8).

APP 5 requires that upon data collection from a customer, organisations notify individuals of their intention to disclose personal information to recipients overseas ³ . They must also specify the location in which these disclosures may take place, if practicable to specify those countries.

APP 8 requires that before disclosing personal information to an overseas recipient, the organisation must also take reasonable steps to ensure the recipients will not breach the Australian Privacy Act. An exception to this is if the overseas entity is an 'agency' ⁴ and

the disclosure of the information is required or authorised by or under an international agreement relating to information sharing to which Australia is a party; or

the [organisation] reasonably believes that the disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body and the recipient is a body that performs functions, or exercises powers, that are similar to those performed or exercised by an enforcement body.

This means that if an organisation is required to provide data as part of an investigation, either by an Australian or foreign law enforcement agency, then it is not required to inform the customer of the disclosure of that data. However, organisations should determine whether their cloud provider is required to notify them of such requests as part of their contractual arrangements.

Issues with possession and control

In dealing with data stored in the cloud, it is important to understand not only where the data resides (the entity which has possession of it), but also which entity utilises the data and is able to modify it, i.e. the entity which is in control of the data.

As we have discussed, many organisations who place their data into cloud storage may be required to produce this information for legal or investigative purposes; but to whom should investigators address these data requests? Should it be the user organisation, as they are the uploader or generator of the data and already have access to it? Or should it be the cloud entity, as they are the entity who have possession of the data storage?

A Singapore Case

A recent Singapore case ⁵ has discussed this very notion of possession and control of data from a legal discovery point of view when storing email communications and their attached data in the cloud. In particular, there was much discussion around the technical aspects of who has possession and control of 'cloud based email services'.

"This is because, in so far as emails accessed using web browsers are concerned (such as Gmail, Yahoo, Hotmail, and web-based/off-site corporate email accounts), the email user does not technically have possession and custody over the emails, as the emails are stored on mail servers and data centres sited in remote locations. In this case, the user may still download and save a copy of the emails in his computer, hard disk, smart phone, tablet device, or some other compound document. However, unless the user has saved his emails in his computer or in similar devices, what the user has in his possession is not the email itself, but the username and password to access the emails in the possession of the email provider. To this end, the email provider is in effect a custodian of the electronically stored information in the user's email account." ⁶

With this in mind, a suitable understanding of the cloud infrastructure should be obtained before drafting discovery orders to ensure that they are correctly instructing the entities, and more importantly, identifying the correct entity when making orders for discovery.

The judge in the Singapore case allowed the application for discovery , and commented from a practical perspective, saying:

"The plaintiffs are not seeking discovery of physical printouts of emails kept by the defendants, neither are they seeking discovery of soft copies of emails saved in the defendants' computers, smart phones or other compound documents (storage devices or database). If this was the case, the defendants can be found to be in possession and custody of these physical printouts, or the saved softcopies kept in their computers. Instead, the plaintiffs are seeking discovery of the emails in the defendants email accounts." ⁷

On this basis, at least from a Singapore perspective, it suggests that for disclosure of web based email, suitable care should be taken to determine where the data may reside and which entity the discovery orders should be served on.

In our experience the appropriate use of forensic tools, together with the express permission of the web based email account user (and assuming there are no issues with the terms and conditions of the web based email provider) can allow for the appropriate collection of web based email accounts.

To date, we are unaware of any Australian cases regarding such a scenario but there could be significant implications for data privacy.

In the definitions of the Privacy Act an entity 'holds' personal information if it has possession and control.

Could it be that Google or Hotmail might be deemed to be holding personal information through its hosting of email accounts?

Our recommendations

Storing data in the cloud has obvious cost benefits, but organisations who do so must address some unique challenges when faced with an investigation or litigation. In particular , the risks surrounding data privacy in the cloud (as discussed in the last article) mean that it is important to be 'litigation ready'.

We suggest that:

All remote acquisition is undertaken by an experienced forensic technology professional, to avoid the risks of data modification.

Alternatively, organisations may request cloud providers to assist investigators in acquiring data. This scenario should be discussed as part of contractual agreements to avoid additional costs, however ,organisations should ensure that the cloud provider has the requisite experience to do this without modification of the data.
Organisations should obtain confirmation (and ensure regular updates) from cloud providers of the location in which their data is stored, and whether the local legislation will apply.
Whilst requests from regulatory and law enforcement agencies for data stored in the cloud may be unavoidable, ensure that suitable contractual arrangements are in place, including whether your cloud provider is required to notify you of such requests.
Legal teams should give due consideration to the wording in their orders for the discovery of cloud based data. Again, expert assistance can assist in ensuring that the appropriate information is collected in a timely manner.
So, ask yourself, when your organisation is faced with litigation, or required to provide evidence as part of an investigation, how ready will you be?

Endnotes

¹ See http://www.hoganlovells.com/newsmedia/newspubs/ detail.aspx?news=2268
² See http://www.oaic.gov.au/images/documents/privacy/ privacy-resources/privacy-fact-sheets/privacy-fact-sheet- 17-australian-privacy-principles_2.pdf.
³ See http://www.oaic.gov.au/images/documents/privacy/ engaging-with-you/current-privacy-consultations/Draft-APP- Guidelines-2013/Draft_APP_Guidelines_Chapter_8.pdf
⁴ As defined by the Privacy Act 1988, Section 6, an agency would include most Commonwealth government bodies and representatives, including the AFP and the Federal Court. See http://www.austlii.edu.au/au/legis/cth/consol_act/ pa1988108/s6.html
⁵ Dirak Asia Pte Ltd and another v Chew Hua Kok and another [2013] SGHCR 01
⁶ Dirak Asia Pte Ltd and another v Chew Hua Kok and another [2013] SGHCR 01 [12]
⁷ Ibid [11]

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Australia: Storm clouds ahead? When information in the cloud is evidence