Evidence and Cloud computing
By Kostas Pratikakis
What is cloud computing? It is quite possible that you have heard someone say that he/she saves photos, documents and other data on “cloud” to transfer them between devices.
This “cloud” is nothing more than databases, service platforms and software, which are not really in your device.
Thanks to the Internet, a cloud service user -that being you, companies or the State- can use his/her device to have access to these databases, service platforms and software, which might be hundreds or thousands kilometres away. Well-known examples of cloudcomputing are: Microsoft Office 365, Salesforce, Facebook, Youtube, Instagram, Google Drive, Dropbox, Gmail, Yahoo Mail, Spotify, Vimeo, Twitter, etc.
Cloud computing definitely creates unlimited opportunities. However, it also creates many issues. For instance, a person residing in Greece can save his data in a platform belonging to a US company; the databases of this company might be in one or more States, such as Australia or Japan. All these different States can cause a headache in the event that a search regarding a serious crime takes place.
In this context, the Council of Europe announced in June 2017 the drafting of new additional protocol to the Convention on Cybercrime (Budapest Convention), concerning cloud computing.
The new additional protocol, which is expected to be finalized by the end of 2019, aims at the successful exchange of information and mutual court assistance, providing for the cooperation with the service providers and the demarcation of the existing practices of transboundary access to data.
The main purpose of this venture is the reinforcement of the protection of human rights in the context of certain criminal proceedings, which require access to certain data.
On July 2018, the “Octopus Conference 2018” of the Council of Europe took place. This conference aims at enhancing cooperation against cybercrime. This year, the centre of discussion was the important challenges, which arise from the adoption of an additional protocol to the Budapest Convention concerning cloud computing.
Experts on cybercrime, States delegates, academics and civil society representatives, such as European Digital Rights (EDRi) and Electronic Frontier Foundation (EFF), discussed their views and concerns related to the new protocol.
Before we describe the challenges which arise, let us begin with explaining in a few words the Budapest Convention and the existing additional protocol to it.
The Budapest Convention and the existing Additional Protocol to it on the Criminalization of acts of racist and xenophobic nature through computer systems
As criminal activities increasingly use and on the same time influence the electronic systems for data proceeding, there was a need for new criminal provisions to confront this challenge. Therefore, the Council of Europe adopted the Convention on Cybercrime (Budapest Convention), which constitutes a binding international legal act which concerns crimes through or against electronic networks. The existing Additional Protocol to the Budapest Convention concerns the criminalization of acts of racist and xenophobic nature committed through computer systems.
Although Greece signed the Budapest Convention and the Additional Protocol to it in 2001 and 2003 respectively, it demonstrated negligence once more and finally ratified them with Law 4411 in 2016, thus harmonizing the Greek legislation with their provisions and changing significantly the Criminal Code.
The Budapest Convention permits the accession of third countries, non-members to the Council of Europe. It remains the most significant international convention concerning violations of the law through the Internet or other networks of information and its text has been ratified by third countries, non-members to the Council of Europe, such as USA, Argentina, Australia, Chile, Canada, Japan, Israel, etc.
The Convention requires that the States parties to it update and harmonize their criminal legislation on piracy and other security systems violations, including the violation of copyrights, fraud though computer systems, child pornography and other illegal activities in cyberspace.
It also provides for procedural powers concern the search of computer networks and the monitoring of communications in the context of confronting cybercrime. It also promotes efficient international cooperation.
Although the Convention is not a means for the promotion of the right to the protection of personal data, it criminalizes activities which may violate the right in question. It also requires from the parties to adopt legal measures, which will permit their national authorities to monitor traffic and content data. Finally, it obliges the parties to it to provide for adequate protection of the fundamental rights and freedoms, including those protected under the ECHR, when implementing the Convention.
The Additional Protocol to the Budapest Convention includes the circulation of xenophobic and racist content through the Internet within the scope of the Convention. Moreover, it provides for the use of procedural means to be used against these violations.
This Additional Protocol acknowledges the need to safeguard a balance between freedom of expression and the ceasure of acts of racist and xenophobic nature. Finally, international cooperation regarding the alleviation of cybercrime related to racism and xenophobia is promoted.
Potential challenges arising from the new Additional Protocol to the Budapest Convention on the effective exchange of information and the mutual court assistance in the context of cloud computing
Now that we briefly discussed the scope of the Budapest Convention and the existing Additional Protocol to it, we will move forward to describe the challenges, which might arise from the new Additional Protocol.
This new Additional Protocol, as already mentioned, is expected to be finalized by the end of 2019. It will concern the effective exchange of information and the mutual court assistance regarding certain criminal proceedings, which require access to certain data in the context of cloud computing.
For the Internet and cloud computing services to be a place in which each and everyone of us will be able to enjoy his/her rights, it is necessary to enact certain safeguards when the State authorities, which are responsible for enforcing the law, exchange information and mutually cooperate in the context of transboundary criminal proceedings.
The discussions which took place during “Octopus Conference 2018” underlined important potential challenges, which might arise from the new Additional Protocol, if necessary safeguards are not adopted.
It must be noted that particular attention was paid to the necessity of restructuring mutual court assistance between two or more States with the objective to collect and exchange information in an endeavour to enforce the provisions of the new Additional Protocol in regards to certain transboundary criminal investigations or proceedings.
Furthermore, it is necessary to ensure that national legislation of third countries will be harmonized to the high level of protection, recognized by the European Court of Human Rights. Both the legislators and the law enforcement authorities of these third States should respect and abide by the legal principles and values reflected in the legislation and jurisprudence of the Council of Europe regarding the protection of human rights.
Only in this way will the authorities have access to evidence, coming from cloud computing services, with the necessary prerequisites being followed; this way, the interference will be proportional the human rights and freedoms of Internet users will be protected.
You can learn more by watching a short video by the Council of Europe with statements of some of the participants to “Octopus Conference 2018”, by clicking here.