BBC 'vague' reporting again!

Florian Weimer ukcrypto at chiark.greenend.org.uk
Wed, 03 Dec 2008 07:56:21 +0100 

* Richard Clayton:

> In article <87myfeak84.fsf@mid.deneb.enyo.de>, Florian Weimer
> <fw@deneb.enyo.de> writes
>
>>Anyway, the proposed law does not cover cross-border searches.
>
> Cross-border searches would need to be covered by an explicit treaty.

Could be the case, yes.

> I have been suggesting (in roughly the right quarters) for some time
> that this is an topic that might be usefully prioritised...  Of course
> I'd probably like to see many more controls applied than the Home
> Office, but I'm not completely against the idea per se... and the sooner
> it's started on, then the sooner (after most of a decade given the
> slowness of the diplomats) it will be finished.

It's a can of worms.  At least over here, what happens is that when
you explicitly permit one thing, you rule out dozens of existing
practices (or vice versa, when something is forbidden, lots of related
things which are not explicitly mentioned are suddenly assumed to be
okay).  There are unintended consequences all across the board.

> Let us suppose that the police execute a search warrant in Kent (to pick
> a recent example county -- albeit in that example there was no
> magistrates warrant because an arrest is sufficient to avoid the need).
>
> The search warrant entitles them to seize computers and storage media to
> examine for evidence of wickedness (albeit with some exemptions for
> privileged material).
>
> If it turns out that the computers are merely thin clients of some kind
> and the data is stored elsewhere -- a common scenario for many years for
> companies, then the search warrant is good within the jurisdiction, so
> that data that is actually held on spinning disks in Kendal can be
> accessed and seized from the machines in Kent. Up until now, this has
> mainly worked out pretty efficiently.

So far, so good.

> If the police are unaware of where the disks are, then the material can
> be accessed and seized. However, if they are told that the spinning
> disks are in fact in Cupertino (or Googleville WA, or Dublin or
> wherever) then they cannot and should not access the data.
>
> Instead, they should use a Mutual Legal Assistance process to get a
> foreign police force to access the data and deliver it up to them.  This
> is incredibly slow, likely to be error-prone, and quite frankly seldom
> serves the needs of justice.

Sorry, I can follow you in general, but this is just the wrong
conclusion.  The real issue here is that there are legitimate
companies doing business in our respective countries, and yet they
still manage to pull off a Sealand-like stunt, somehow opting out of
jurisdiction.  The answer to that aren't new laws, but enforcement of
existing laws.  If they are uncooperative, take their domestic
infrastructure apart until you find the evidence you need.

> As more and more data is stored in "the cloud" (but the geographic
> location of the instance within that cloud can be determined, and is not
> in this country),

I think this assumption is wrong.  Replicas are stored locally.  It's
not clear if the data you actually need is there, but you can't know
if the organization is uncooperative and you don't even bother look!

> viz: though this thread is mainly about surreptitious (and perhaps l33t)
> access to data, there's a real and growing problem for officers trying
> to deal with straightforward non-surreptitious access to stored data,
> perhaps even with the agreement and cooperation of the company or
> sysadmins involved who want their fraudulent employees dealt with...

Their fault.  Apparently, they drank too much of that "cloud"
kool-aid.  The organizations they want business records from usually
have a domestic presence.  Some of the Googles even acknowledge that
and hand over data of local residents locally (like most of them
acknowledge regional filtering requirements).  The remaing ones will
follow once they feel the operational impact of non-compliance with
local law.

You may have a point about a webmail service run by a Russian on a
machine in California whose WHOIS records claim that it's located in
Hong Kong.  My take on this is if both U.S. and Chinese police
disclaim jurisdiction (based on WHOIS and location, respectively),
anything is fair game.  (The Googles are different in that they claim
to be subject to a particular jurisdiction when it suits them, usually
U.S., not opting out of all them.)