It is not always clear whether different types of cloud services are considered and regulated as “electronic communication services” or “information society services”.It is not always clear whether different types of cloud services are considered and regulated as “electronic communication services” or “information society services”.

The internet’s continued presence in the everyday lives of citizens has increased in more ways than one. More people use it to pursue educational aims, participate in social and cultural life, do business, and to interact with one another or with their governments. Any public policy for the internet should be people-oriented, meaning that it should at all times respect the core values of democracy, human rights and the rule of law.

In an ideal setting, the internet is there to serve the interests of its users by remaining universally accessible, open and innovative as well as being multi-stakeholder and people-centred in its governance. But problems do crop up along the way and therefore need to be addressed.

Governance of the internet is a relatively recent phenomenon which can be considered unchartered, technical, and not the sole responsibility of governments or organisations. Vital and highly sensitive areas in need of adequate legislative protection and sustained efforts would include sexual abuse and exploitation of children online, action to fight organ and human trafficking and the sale of counterfeit medicines and drugs.

The online safety and security of internet users is a shared responsibility. This requires action to combat cybercrime in whatever form it takes, such as the exploitation, harassment and bullying of people using the internet.

On demand, or as it also popularly known cloud computing, consists of a type of internet-based computing that enables convenient, on demand network access to a shared pool of configurable computing resources, and which can be rapidly provisioned and released with minimal management effort or service provided interaction. These would include networks, servers, storage, and applications and services.

The term “cloud” was coined in the 1990s with the advent of virtual private networks. At first, cloud computing was used to simplify business processes but its application gained popularity among scientific and gaming communities as well. It is now widely accepted as a secure means of data storage and shared processing power. On the negative side, online security remains an engaging issue since the internet continues to present ongoing security concerns.

Cloud computing has become a highly demanded service or utility offering the advantages of high computing power, cheap cost of services, high performance, scalability, accessibility and availability. So what are the likely hazards that may jeopardise these technological advances?

In the absence of clear international rules, governments tend increasingly to take unilateral action

Security and privacy experts have long warned that cyber criminals would launch attacks on servers storing the data in cloud environments. Also, criminals are now known to be using the cloud infrastructure itself to get more capability out of their efforts to siphon money out of bank accounts across the globe. In other words, the same flexibility and freedom companies get from having their software and services hosted in the cloud is enabling criminals to conduct highly automated online banking them.

Novel technologies are known to open doors and unleash myriad possibilities to servers and recipients alike but they can also create problems hitherto unknown.

A newly emerging challenge in the legal domain has to do with criminal justice access to data – so called “evidence in the cloud”.

More specifically, it concerns which law to apply and in which jurisdiction to enforce. The crux here is that whereas law enforcement rules are bound with the principle of territoriality, data may be held temporarily or in parts by multiple layers of cloud service providers. In various State jurisdictions, it is often questionable how law enforcement authorities can legally access evidence in this context.

In the absence of clear international rules, governments tend increasingly to take unilateral action. The ensuing result has led to “a jungle of approaches” with risks for state-to-state relations and the rights of the individual.

The complex issues involved can be quite substantial in kind: its key characteristic of independence of location, the fact that a server provider may fall under different layers of jurisdictions for sundry legal aspects related to its service at one and the same time, the sharing and pooling of resources, the unclear nature as to whether data is stored or in transit bearing upon weather production orders, search and seizure orders, interception or real-time collection orders are to be served.

Furthermore, it is not always clear whether different types of cloud services are considered and regulated as “electronic communication services” or “information society services”. In turn, this has implications on the type of and conditions for procedural law powers that can be applied.

The Budapest Convention is the most relevant international treaty on cybercrime and the electronic evidence. State parties undertake to establish a list of offences against and by means of computers in their criminal law and provide law enforcement with the powers to secure specified computer data in specific criminal investigations and in relation to any criminal offence.

Such powers are to be limited through rule of law safeguards as well as engage in efficient international police-to-police and judicial cooperation, including through a 24/7 network of contact points.

Specific problems may also arise regarding interceptions.

The non-localised nature of cloud computing causes problems for live forensics (online forensics) and searches on account of the structure of the cloud such as multi-tenancy, distribution and recognition of data. Legal challenges may also be related to the integrity and validity of the data collection, evidence control, ownership of the data or jurisdiction matters.

In this respect, the Cybercrime Convention Committee, which represents the state parties to the Budapest Convention on Cybercrime is currently exploring solutions to address some of these new challenges. The committee at the moment comprises 66 parties and observer states as well as the European Commission. Malta is a party to the Budapest Convention.

Other important groups and organisations that take part include Europol, Eurojust, Interpol and the UN Office on Drugs and Crime.

The committee’s main task is to assess the implementation of the treaty in practice, adopt guideline notes and may also prepare additional protocols to the convention.

Incidentally, it is also within the remit of this committee to deal with problems such as the one we have referred to concerning cloud computing and access to criminal justice.

Stefano Filletti is a lawyer and the head of Department of Criminal Law at the Faculty of Laws, University of Malta.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.