Australia: Storm clouds ahead? When information in the cloud is evidence

Last Updated: 15 April 2014

Introduction

In Part 1 of this article , we considered the issues surrounding data privacy in the cloud. In Part 2, we now turn to consider the issues which arise when using data stored in the cloud as evidence in support of investigations or litigation.

Most investigations and litigation discovery processes involve the review of electronic information held by organisations, such as emails, documents and internet histories. Organisations are often required to provide specific information to third parties, such as law enfor cement authorities, within a short timeframe.

Whilst cloud infrastructure may improve remote access to an organisation' s data, in some cases from anywhere in the world, it also reduces an organisation's direct control over the data. This means that when faced with the need to quickly produce or disclose information, organisations who store data in the cloud face some unique challenges.

In this article, Ronald Holtshausen from our Perth office considers the key issues surrounding the use of data in the cloud for litigation and law enforcement, including:

  • acquiring data from the cloud
  • the risk of modification of data
  • data sovereignty
  • data possession and control.

Data acquisition from the cloud

Imagine that your organisation has just found out that it faces investigation by a regulator - it may need to provide the regulator with a large volume of data within a short time frame. Complying with this deadline will be hard. Even if there is no such specific request, the organisation needs to understand what data it has and perhaps start its own review of that data. But then you remember - your organisation stores some, or all of its financial, operational and email data in the cloud. What can be easier , you think.
Doesn't storing company information in the cloud make data easy to access?

Unfortunately, that is not necessarily the case when it comes to acquiring and preserving a copy of an organisation's data from the cloud for investigation and litigation purposes - this can prove to be slower, and more complex than originally perceived. It can also be costly , particularly if contractual arrangements are not in place for such an event.

Conventional computer forensic acquisition procedures look to acquire and preserve data from a storage device which the investigator can physically access. The investigator can then take the appropriate precautions to isolate the data from further access and ensure it is not altered or modified during the preservation, whilst also ensuring adherence to any specifications of the search or disclosure orders.

However, in many cases, data contained in the cloud will be stored in remote infrastructure that is shared by multiple organisations. This may limit an investigator's ability to physically access the data storage facilities and isolate it from further potential modifications. The investigator may then need to employ a different approach in order to acquire the data remotely, potentially being hampered by issues such as slow connection speeds to the cloud provider.

Risk of modification of data

Many investigators rely upon metadata (such as author information, file creation, modification and access times) as part of their work, for example, to piece together a sequence of events by preparing a chronology of a document's creation and modification.

Unfortunately, whilst a cloud facility may increase an organisation's ability to access its data, it also increases the risk of potential data modification (accidental or deliberate) by employees and the cloud provider .

Simple maintenance activities performed by a cloud provider can modify metadata associated with data. This includes activities such as backups, imaging, data relocation and data replication. This means that data which could prove crucial in investigating a user's activity may be modified or lost.

When accessing data in the cloud (known as a 'remote acquisition') for litigation purposes, it is crucial that appropriate precautions are taken to preserve data artefacts that may be modified by simply downloading the data from the cloud. We recommend that all remote acquisitions are done by experienced professionals.

Example

Mr Smith resigns from his software development job at Jones & Co and is immediately walked out of the building by security. Mr Smith sets up his own business with the intent of developing and selling similar software to that designed and owned his former employer. Jones & Co becomes concerned that Mr Smith has stolen its intellectual property.

Jones & Co investigates whether Mr Smith accessed and copied its proprietary software designs and source code before his resignation. They therefore want to establish the date at which the software or source code was last accessed, and by whom.

Jones & Co stores its software specifications and source code in the cloud, so it asks its cloud provider to check the metadata of the relevant files. Unfortunately, the cloud provider does not make a forensically sound copy of the files, and so accidentally 'accesses' the files during this check. At approximately the same time Jones & Co's data gets replicated from the Singapore data centre to the cloud provider's German data centre. The data's replication to the German data centre has now resulted in further changes to potentially crucial metadata. This means that the previous date of access and modification was updated, and there is no longer any evidence linking Mr Smith to the file.

Jones & Co are not able to provide any metadata to establish the theft of their intellectual property , and Mr Smith continued to run his own business as a competitor to Jones & Co.

Data sovereignty and international concerns

Data sovereignty is the concept that information which has been converted and stored in a digital form is subject to the laws of the country in which it is located.

Data sovereignty is a key issue for organisations that use the cloud for data storage. Cloud providers often store data in offshore storage facilities to reduce costs. As a result, an organisation's data could physically be held in storage locations anywhere in the world and, potentially , in a number of different jurisdictions.

The long arm of overseas legislation

Because data may be stored outside Australia, it is important that organisations understand the privacy laws of the country where the data is located, as these may apply in contractual agreements with cloud providers.

Organisations may even find their data susceptible to foreign go vernment access in relation to investigations or litigation overseas.

For example, through the use of the American Patriot Act, brought in as a response to the events of 11 September 2001, the US Government and its agencies have powers to access Australian data held by US owned cloud providers and their subsidiaries, wherever they may be located.

This includes both:

  • Australian data held in Australia by a US owned cloud provider
  • Australian data located in the US by an internationally owned cloud provider.

Susceptibility to foreign government access does not stop with the US. A study carried out by Hogan Lovells, an international law firm, found similar data access laws in other countries 1 . The governments of the United Kingdom, Germany, France, Japan and Canada have similar laws in place allowing them to obtain personal data stored in the cloud during the course of a government investigation.

Data Sovereignty and Australian Privacy Laws

When storing data in the cloud, an organisation should be aware that the legal obligations over the protection of the data still reside with them under the Australian Privacy Principles 2 (APP 5 and APP 8).

APP 5 requires that upon data collection from a customer, organisations notify individuals of their intention to disclose personal information to recipients overseas 3 . They must also specify the location in which these disclosures may take place, if practicable to specify those countries.

APP 8 requires that before disclosing personal information to an overseas recipient, the organisation must also take reasonable steps to ensure the recipients will not breach the Australian Privacy Act. An exception to this is if the overseas entity is an 'agency' 4 and

the disclosure of the information is required or authorised by or under an international agreement relating to information sharing to which Australia is a party; or
the [organisation] reasonably believes that the disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body and the recipient is a body that performs functions, or exercises powers, that are similar to those performed or exercised by an enforcement body.

This means that if an organisation is required to provide data as part of an investigation, either by an Australian or foreign law enforcement agency, then it is not required to inform the customer of the disclosure of that data. However, organisations should determine whether their cloud provider is required to notify them of such requests as part of their contractual arrangements.

Issues with possession and control

In dealing with data stored in the cloud, it is important to understand not only where the data resides (the entity which has possession of it), but also which entity utilises the data and is able to modify it, i.e. the entity which is in control of the data.

As we have discussed, many organisations who place their data into cloud storage may be required to produce this information for legal or investigative purposes; but to whom should investigators address these data requests? Should it be the user organisation, as they are the uploader or generator of the data and already have access to it? Or should it be the cloud entity, as they are the entity who have possession of the data storage?

A Singapore Case

A recent Singapore case 5 has discussed this very notion of possession and control of data from a legal discovery point of view when storing email communications and their attached data in the cloud. In particular, there was much discussion around the technical aspects of who has possession and control of 'cloud based email services'.

"This is because, in so far as emails accessed using web browsers are concerned (such as Gmail, Yahoo, Hotmail, and web-based/off-site corporate email accounts), the email user does not technically have possession and custody over the emails, as the emails are stored on mail servers and data centres sited in remote locations. In this case, the user may still download and save a copy of the emails in his computer, hard disk, smart phone, tablet device, or some other compound document. However, unless the user has saved his emails in his computer or in similar devices, what the user has in his possession is not the email itself, but the username and password to access the emails in the possession of the email provider. To this end, the email provider is in effect a custodian of the electronically stored information in the user's email account." 6

With this in mind, a suitable understanding of the cloud infrastructure should be obtained before drafting discovery orders to ensure that they are correctly instructing the entities, and more importantly, identifying the correct entity when making orders for discovery.

The judge in the Singapore case allowed the application for discovery , and commented from a practical perspective, saying:

"The plaintiffs are not seeking discovery of physical printouts of emails kept by the defendants, neither are they seeking discovery of soft copies of emails saved in the defendants' computers, smart phones or other compound documents (storage devices or database). If this was the case, the defendants can be found to be in possession and custody of these physical printouts, or the saved softcopies kept in their computers. Instead, the plaintiffs are seeking discovery of the emails in the defendants email accounts." 7

On this basis, at least from a Singapore perspective, it suggests that for disclosure of web based email, suitable care should be taken to determine where the data may reside and which entity the discovery orders should be served on.

In our experience the appropriate use of forensic tools, together with the express permission of the web based email account user (and assuming there are no issues with the terms and conditions of the web based email provider) can allow for the appropriate collection of web based email accounts.

To date, we are unaware of any Australian cases regarding such a scenario but there could be significant implications for data privacy.

In the definitions of the Privacy Act an entity 'holds' personal information if it has possession and control.

Could it be that Google or Hotmail might be deemed to be holding personal information through its hosting of email accounts?

Our recommendations

Storing data in the cloud has obvious cost benefits, but organisations who do so must address some unique challenges when faced with an investigation or litigation. In particular , the risks surrounding data privacy in the cloud (as discussed in the last article) mean that it is important to be 'litigation ready'.

We suggest that:

All remote acquisition is undertaken by an experienced forensic technology professional, to avoid the risks of data modification.

  • Alternatively, organisations may request cloud providers to assist investigators in acquiring data. This scenario should be discussed as part of contractual agreements to avoid additional costs, however ,organisations should ensure that the cloud provider has the requisite experience to do this without modification of the data.
  • Organisations should obtain confirmation (and ensure regular updates) from cloud providers of the location in which their data is stored, and whether the local legislation will apply.
  • Whilst requests from regulatory and law enforcement agencies for data stored in the cloud may be unavoidable, ensure that suitable contractual arrangements are in place, including whether your cloud provider is required to notify you of such requests.
  • Legal teams should give due consideration to the wording in their orders for the discovery of cloud based data. Again, expert assistance can assist in ensuring that the appropriate information is collected in a timely manner.
  • So, ask yourself, when your organisation is faced with litigation, or required to provide evidence as part of an investigation, how ready will you be?

Endnotes

1 See http://www.hoganlovells.com/newsmedia/newspubs/ detail.aspx?news=2268
2 See http://www.oaic.gov.au/images/documents/privacy/ privacy-resources/privacy-fact-sheets/privacy-fact-sheet- 17-australian-privacy-principles_2.pdf.
3 See http://www.oaic.gov.au/images/documents/privacy/ engaging-with-you/current-privacy-consultations/Draft-APP- Guidelines-2013/Draft_APP_Guidelines_Chapter_8.pdf
4 As defined by the Privacy Act 1988, Section 6, an agency would include most Commonwealth government bodies and representatives, including the AFP and the Federal Court. See http://www.austlii.edu.au/au/legis/cth/consol_act/ pa1988108/s6.html
5 Dirak Asia Pte Ltd and another v Chew Hua Kok and another [2013] SGHCR 01
6 Dirak Asia Pte Ltd and another v Chew Hua Kok and another [2013] SGHCR 01 [12]
7 Ibid [11]

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions