Wednesday, December 19, 2012

Cloud surveillance in Ireland: coming soon to a server near you?

There's an excellent article by Peter Swire in the current International Data Privacy Law journal titled "From real-time intercepts to stored records: why encryption drives the government to seek access to the cloud". The core argument is relatively familiar though particularly well articulated - with the move away from conventional telephony and towards the use of VOIP, webmail and encrypted web connections over SSL there are growing problems for national governments in using traditional surveillance powers. Instead governments are increasingly attempting to access stored communications after the fact, where these are held in cloud services.

An important implication is that this divides up countries into "haves" (where cloud services are based and can be compelled to cooperate) and "have nots" (who will lack leverage over foreign companies). Consequently, as he puts it:
the 'have nots' become increasingly dependent, for access to communications, on cooperation from the 'have' jurisdictions... This technical possibility to respond to process leads to an important, specific split between the ‘haves’ and ‘have nots’. Some jurisdictions will have the cloud server in their jurisdiction, with relatively straightforward access to the stored records under local law. Other jurisdictions will not have such access. They will have to use a Mutual Legal Assistance Treaty (MLAT) or other mechanism to gain access to the holder of the records. These ‘have not’ jurisdictions may well face added expense and delay in gaining access to the records. In some (or perhaps many) cases they will not be able to access records that they consider important for law enforcement or national security purposes. Conversely, cloud providers and other holders of records are likely to face an increasing number of lawful access requests, from a potentially bewildering array of jurisdictions.
So what does this mean for Ireland? Think about these recent headlines: "Dropbox to establish Irish office", "Twitter ramps up hiring in Dublin", "Facebook is liking Ireland more and more". Add Google and other companies with Dublin HQs and suddenly Ireland becomes - in Swire's analysis - one of the "have" jurisdictions when it comes to internet surveillance.* Better yet, it's a jurisdiction with antiquated laws on surveillance, where oversight of police activities continues to be inadequate. Consequently we can expect both domestic and international interest in accessing the contents of these cloud services - with the added advantage that the out of date Irish law might allow the more stringent requirements of US law to be evaded in the case of providers with their main base in the US. Watch this space.


*There is one possible caveat - some US providers appear to be basing only e.g. sales and marketing functions here, leaving actual data hosting in the hands of a different (US) corporate entity and therefore theoretically outside the scope of the Irish authorities. It remains to be seen though whether this will be effective.

No comments:

Post a Comment