Sunday 20 June 2010

Chrome and cops and cyberspace



I had just posted yesterday’s blog when my another idea popped into my brain and got me going again. This time, it was based an article I had had read, which prompted me to think again about the implications of the advice I had given in the penultimate paragraph of that post. For those who don’t want to scroll down to read it in its original place, here it is again:

Finally, one of the most frequently asked questions from investigators involves accessing the email account of a suspect when the password to that account has come into the possession of investigators. ‘I have X’s password: can I access his email account?’ Without the informed (and preferably written) consent of the suspect, no: such action constitutes a criminal offence under the Computer Misuse Act 1990.

You see, just after posting that article I read Mike Harvey’s piece in The Times, headlined “Google launches cloud-based assault on Microsoft”. Google’s Chrome operating system will challenge Microsoft’s position in the marketplace, and may well require a significant change in police investigation techniques, too.

What do I mean? Well, basically, we’ll soon be able to buy laptops loaded with Chrome, a “cloud-based” computing system which means that we could be doing all our computing via the web rather than installing software on our PC. This has become possible because most users can access the web anywhere with Wi-Fi or 3G connections. It has become attractive because the vast majority of popular computer applications such as e-mail, Facebook and news sites are now on the web.

Will we ever need to store much stuff on our laptops again? – possibly not – so these will become cheaper and involve less hassle when we change them. We’ll still be able to access all our “stuff”, as it will be stored on a cloud server somewhere on the internet, rather than in the memory on our own devices.

Google claims that cloud-based software was a “better model of computing”. Chrome OS would be easier and more secure to use and the laptops running it would be faster to start up. A user would be able to access his or her services from any computer and any device because the services will all exist “in the cloud”, on remote servers.

Well well well. Does this pose a problem for the investigators? If they can’t seize a device and forensically examine it to see what’s stored in its memory (or cashes), does this make life harder for them? I think it might – for all but the most serious (say National Security) investigations, anyway.

If nothing is actually stored on the device itself it might question the need for the dawn raid on a property to seize hardware and arrest a miscreant on the grounds that he was being suspected of being “in possession” of unlawful software (say unlawfully obtained copyright material) , as its possible that all the miscreant might have would be a set of passwords. The contraband, as it were, could well be stored in cloud servers anywhere in the world. (And with back-up copies elsewhere, all over the world).

What could an investigator do?

Presumably, he would first fill in another of his trusty RIPA forms and shove one in Google’s direction and demand that they produce the relevant traffic data – ie whatever transmission records they have. But transmission records in respect to what? If an investigator does not know what device was used to alter the stuff on the cloud (assuming the investigator even knows what stuff is up in the cloud in the first place), then what will this RIPA demand actually demand? As I don’t work for Google, I guess I’ll never know.

Perhaps the investigator could just apply to the courts for a Production Order to be served on Google for them to pass over the relevant content. But again, if an investigator does not know who or what device was used to alter the stuff on the cloud (assuming the investigator even knows what stuff is up in the cloud in the first place), then what will this Production Order actually demand? As I don’t work for Google, again I guess I’ll never know.

And what would a British Judge do in such circumstances, when of course they have to adhere to all of our human rights legislation and permit such orders only when evidence could be adduced to assert that the request was both necessary and proportionate? Would a judge approve a “fishing expedition”?
And if a British Judge was averse to fishing, could the material be obtained elsewhere?

And here is my cunning plan – yes I think it can. But it does depend on our remaining friends with our American pals, and relations do appear somewhat muddied right now.

In the unfortunately selected words of a (perhaps soon to be former) Chairman of BP, we might be able to ask some “little people” to use their own domestic legislation to permit a more general rummage around the cloud, if the investigation is sufficiently serious. Remember, back in 2001 the 107th US Congress passed the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act. It’s more commonly known as the Patriot Act.

Passed by huge majorities in both Houses of Congress, the Act dramatically reduced restrictions on law enforcement agencies' ability to search telephone, e-mail communications, medical, financial, and other records; eased restrictions on foreign intelligence gathering within the United States; expanded the Secretary of the Treasury’s authority to regulate financial transactions, particularly those involving foreign individuals and entities; and broadened the discretion of law enforcement and immigration authorities in detaining and deporting immigrants suspected of terrorism-related acts. The Act also expanded the definition of terrorism to include domestic terrorism, thus enlarging the number of activities to which the Act’s expanded law enforcement powers could be applied.

Dr Chris Pounder, the hugely respected authority in this area, has recently reminded us all of the subtly different approaches to the way the law can be flexed to assist investigators. He considers that the difference between the two approaches is profound. American law would, for example, permit an investigator to say “give us a range of data about transactions in a certain region” as we are investigating “terrorism” (whatever that is). By contrast, in order to comply with human rights legislation, EU investigators are only allowed to say something like “give us the data on this known entity or specific individual” in relation to “terrorism”. More details of his reasoning is available in his blog - http://amberhawk.typepad.com.

Put in these terms, it is easy to see that in the USA you can make general requests for “data” whereas in the EU you have to make specific targeted requests about individuals or entities.

So how would British investigators flex their special relationship with these pals to get Google to open their doors to the cloud from their side of the pond if the British legal system wasn’t keen on permitting access from this side of the pond? I'm not too sure, but I’m confident the wheels could be carefully oiled – once we’ve sorted out that other oily problem closer to their shores. I can’t see them looking too fondly on helping our law enforcers with fishing expeditions involving, say, BT customers until BP resolves the problems it has with all those American fishermen.

So, if its “Farewell RIPA”, it could be “Hello Patriot”, and long live that “special relationship” that no-one can quite put their finger on.