BBC 'vague' reporting again!

Richard Clayton ukcrypto at chiark.greenend.org.uk
Tue, 2 Dec 2008 13:28:10 +0000 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In article <87myfeak84.fsf@mid.deneb.enyo.de>, Florian Weimer
<fw@deneb.enyo.de> writes

>Anyway, the proposed law does not cover cross-border searches.

Cross-border searches would need to be covered by an explicit treaty.

I have been suggesting (in roughly the right quarters) for some time
that this is an topic that might be usefully prioritised...  Of course
I'd probably like to see many more controls applied than the Home
Office, but I'm not completely against the idea per se... and the sooner
it's started on, then the sooner (after most of a decade given the
slowness of the diplomats) it will be finished.

Let us suppose that the police execute a search warrant in Kent (to pick
a recent example county -- albeit in that example there was no
magistrates warrant because an arrest is sufficient to avoid the need).

The search warrant entitles them to seize computers and storage media to
examine for evidence of wickedness (albeit with some exemptions for
privileged material).

If it turns out that the computers are merely thin clients of some kind
and the data is stored elsewhere -- a common scenario for many years for
companies, then the search warrant is good within the jurisdiction, so
that data that is actually held on spinning disks in Kendal can be
accessed and seized from the machines in Kent. Up until now, this has
mainly worked out pretty efficiently.

If the police are unaware of where the disks are, then the material can
be accessed and seized. However, if they are told that the spinning
disks are in fact in Cupertino (or Googleville WA, or Dublin or
wherever) then they cannot and should not access the data.

Instead, they should use a Mutual Legal Assistance process to get a
foreign police force to access the data and deliver it up to them.  This
is incredibly slow, likely to be error-prone, and quite frankly seldom
serves the needs of justice.

As more and more data is stored in "the cloud" (but the geographic
location of the instance within that cloud can be determined, and is not
in this country), this is likely to prove a serious impediment to
straight-forward policing of eCrime.

viz: though this thread is mainly about surreptitious (and perhaps l33t)
access to data, there's a real and growing problem for officers trying
to deal with straightforward non-surreptitious access to stored data,
perhaps even with the agreement and cooperation of the company or
sysadmins involved who want their fraudulent employees dealt with...

... this would be a more useful task for the Home Office to be making
progress upon than spending billions on traffic data logging.
- -- 
richard                                              Richard Clayton

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety.         Benjamin Franklin

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBSTU36poAxkTY1oPiEQLgnACgtNE0ijOnA75n6p+Dz2o1giX+Sn4AoO3r
gFR1qI3R7uEM1ZyNiv0pMwln
=I5IO
-----END PGP SIGNATURE-----