Selling Information Through Cloud Diagnosis

Transcription

1 Storm clouds ahead? Part 2: Investigations and litigation using data stored in the cloud April 2014 Publication No

2 1 Introduction 2 In Part 1 of this article, we considered the issues surrounding data privacy in the cloud. In Part 2, we now turn to consider the issues which arise when using data stored in the cloud as evidence in support of investigations or litigation. Most investigations and litigation discovery processes involve the review of electronic information held by organisations, such as s, documents and internet histories. Organisations are often required to provide specific information to third parties, such as law enforcement authorities, within a short timeframe. Whilst cloud infrastructure may improve remote access to an organisation s data, in some cases from anywhere in the world, it also reduces an organisation s direct control over the data. This means that when faced with the need to quickly produce or disclose information, organisations who store data in the cloud face some unique challenges. In this article, Ronald Holtshausen from our Perth office considers the key issues surrounding the use of data in the cloud for litigation and law enforcement, including: acquiring data from the cloud the risk of modification of data data sovereignty data possession and control. 2 Data acquisition from the cloud Imagine that your organisation has just found out that it faces investigation by a regulator - it may need to provide the regulator with a large volume of data within a short time frame. Complying with this deadline will be hard. Even if there is no such specific request, the organisation needs to understand what data it has and perhaps start its own review of that data. But then you remember - your organisation stores some, or all of its financial, operational and data in the cloud. What can be easier, you think. Doesn t storing company information in the cloud make data easy to access? Unfortunately, that is not necessarily the case when it comes to acquiring and preserving a copy of an organisation s data from the cloud for investigation and litigation purposes - this can prove to be slower, and more complex than originally perceived. It can also be costly, particularly if contractual arrangements are not in place for such an event.

3 Conventional computer forensic acquisition procedures look to acquire and preserve data from a storage device which the investigator can physically access. The investigator can then take the appropriate precautions to isolate the data from further access and ensure it is not altered or modified during the preservation, whilst also ensuring adherence to any specifications of the search or disclosure orders. 3 However, in many cases, data contained in the cloud will be stored in remote infrastructure that is shared by multiple organisations. This may limit an investigator s ability to physically access the data storage facilities and isolate it from further potential modifications. The investigator may then need to employ a different approach in order to acquire the data remotely, potentially being hampered by issues such as slow connection speeds to the cloud provider. Risk of modification of data Many investigators rely upon metadata (such as author information, file creation, modification and access times) as part of their work, for example, to piece together a sequence of events by preparing a chronology of a document s creation and modification. Unfortunately, whilst a cloud facility may increase an organisation s ability to access its data, it also increases the risk of potential data modification (accidental or deliberate) by employees and the cloud provider. Simple maintenance activities performed by a cloud provider can modify metadata associated with data. This includes activities such as backups, imaging, data relocation and data replication. This means that data which could prove crucial in investigating a user s activity may be modified or lost. When accessing data in the cloud (known as a remote acquisition ) for litigation purposes, it is crucial that appropriate precautions are taken to preserve data artefacts that may be modified by simply downloading the data from the cloud. We recommend that all remote acquisitions are done by experienced professionals. Example Mr Smith resigns from his software development job at Jones & Co and is immediately walked out of the building by security. Mr Smith sets up his own business with the intent of developing and selling similar software to that designed and owned his former employer. Jones & Co becomes concerned that Mr Smith has stolen its intellectual property. Jones & Co investigates whether Mr Smith accessed and copied its proprietary software designs and source code before his resignation. They therefore want to establish the date at which the software or source code was last accessed, and by whom. Jones & Co stores its software specifications and source code in the cloud, so it asks its cloud provider to check the metadata of the relevant files. Unfortunately, the cloud provider does not make a forensically sound copy of the files, and so accidentally accesses the files during this check. At approximately the same time Jones & Co s data gets replicated from the Singapore data centre to the cloud provider s German data centre. The data s replication to the German data centre has now resulted in further changes to potentially crucial metadata. This means that the previous date of access and modification was updated, and there is no longer any evidence linking Mr Smith to the file. Jones & Co are not able to provide any metadata to establish the theft of their intellectual property, and Mr Smith continued to run his own business as a competitor to Jones & Co.

4 3 Data sovereignty and international concerns 4 Data sovereignty is the concept that information which has been converted and stored in a digital form is subject to the laws of the country in which it is located. Data sovereignty is a key issue for organisations that use the cloud for data storage. Cloud providers often store data in offshore storage facilities to reduce costs. As a result, an organisation s data could physically be held in storage locations anywhere in the world and, potentially, in a number of different jurisdictions. The long arm of overseas legislation Because data may be stored outside Australia, it is important that organisations understand the privacy laws of the country where the data is located, as these may apply in contractual agreements with cloud providers. Organisations may even find their data susceptible to foreign government access in relation to investigations or litigation overseas. For example, through the use of the American Patriot Act, brought in as a response to the events of 11 September 2001, the US Government and its agencies have powers to access Australian data held by US owned cloud providers and their subsidiaries, wherever they may be located. This includes both: Australian data held in Australia by a US owned cloud provider Australian data located in the US by an internationally owned cloud provider. Susceptibility to foreign government access does not stop with the US. A study carried out by Hogan Lovells, an international law firm, found similar data access laws in other countries 1. The governments of the United Kingdom, Germany, France, Japan and Canada have similar laws in place allowing them to obtain personal data stored in the cloud during the course of a government investigation. Data Sovereignty and Australian Privacy Laws When storing data in the cloud, an organisation should be aware that the legal obligations over the protection of the data still reside with them under the Australian Privacy Principles 2 (APP 5 and APP 8). APP 5 requires that upon data collection from a customer, organisations notify individuals of their intention to disclose personal information to recipients overseas 3. They must also specify the location in which these disclosures may take place, if practicable to specify those countries. APP 8 requires that before disclosing personal information to an overseas recipient, the organisation must also take reasonable steps to ensure the recipients will not breach the Australian Privacy Act. An exception to this is if the overseas entity is an agency 4 and the disclosure of the information is required or authorised by or under an international agreement relating to information sharing to which Australia is a party; or the [organisation] reasonably believes that the disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body and the recipient is a body that performs functions, or exercises powers, that are similar to those performed or exercised by an enforcement body. This means that if an organisation is required to provide data as part of an investigation, either by an Australian or foreign law enforcement agency, then it is not required to inform the customer of the disclosure of that data. However, organisations should determine whether their cloud provider is required to notify them of such requests as part of their contractual arrangements.

5 4 Issues with possession and control 5 In dealing with data stored in the cloud, it is important to understand not only where the data resides (the entity which has possession of it), but also which entity utilises the data and is able to modify it, i.e. the entity which is in control of the data. As we have discussed, many organisations who place their data into cloud storage may be required to produce this information for legal or investigative purposes; but to whom should investigators address these data requests? Should it be the user organisation, as they are the uploader or generator of the data and already have access to it? Or should it be the cloud entity, as they are the entity who have possession of the data storage? Cloud provider has possession of data data Organisation has control of data Cloud provider hosts the data in one of its offshore storage servers. Organisation uploads data to the cloud and accesses it regularly. A Singapore Case A recent Singapore case 5 has discussed this very notion of possession and control of data from a legal discovery point of view when storing communications and their attached data in the cloud. In particular, there was much discussion around the technical aspects of who has possession and control of cloud based services. This is because, in so far as s accessed using web browsers are concerned (such as Gmail, Yahoo, Hotmail, and web-based/off-site corporate accounts), the user does not technically have possession and custody over the s, as the s are stored on mail servers and data centres sited in remote locations. In this case, the user may still download and save a copy of the s in his computer, hard disk, smart phone, tablet device, or some other compound document. However, unless the user has saved his s in his computer or in similar devices, what the user has in his possession is not the itself, but the username and password to access the s in the possession of the provider. To this end, the provider is in effect a custodian of the electronically stored information in the user s account. 6 With this in mind, a suitable understanding of the cloud infrastructure should be obtained before drafting discovery orders to ensure that they are correctly instructing the entities, and more importantly, identifying the correct entity when making orders for discovery. The judge in the Singapore case allowed the application for discovery, and commented from a practical perspective, saying: The plaintiffs are not seeking discovery of physical printouts of s kept by the defendants, neither are they seeking discovery of soft copies of s saved in the defendants computers, smart phones or other compound documents (storage devices or database). If this was the case, the defendants can be found to be in possession and custody of these physical printouts, or the saved softcopies kept in their computers. Instead, the plaintiffs are seeking discovery of the s in the defendants accounts. 7

6 On this basis, at least from a Singapore perspective, it suggests that for disclosure of web based , suitable care should be taken to determine where the data may reside and which entity the discovery orders should be served on. 6 In our experience the appropriate use of forensic tools, together with the express permission of the web based account user (and assuming there are no issues with the terms and conditions of the web based provider) can allow for the appropriate collection of web based accounts. To date, we are unaware of any Australian cases regarding such a scenario but there could be significant implications for data privacy. In the definitions of the Privacy Act an entity holds personal information if it has possession and control. Could it be that Google or Hotmail might be deemed to be holding personal information through its hosting of accounts? 5 Our recommendations Storing data in the cloud has obvious cost benefits, but organisations who do so must address some unique challenges when faced with an investigation or litigation. In particular, the risks surrounding data privacy in the cloud (as discussed in the last article) mean that it is important to be litigation ready. We suggest that: All remote acquisition is undertaken by an experienced forensic technology professional, to avoid the risks of data modification. Alternatively, organisations may request cloud providers to assist investigators in acquiring data. This scenario should be discussed as part of contractual agreements to avoid additional costs, however, organisations should ensure that the cloud provider has the requisite experience to do this without modification of the data. Organisations should obtain confirmation (and ensure regular updates) from cloud providers of the location in which their data is stored, and whether the local legislation will apply. Whilst requests from regulatory and law enforcement agencies for data stored in the cloud may be unavoidable, ensure that suitable contractual arrangements are in place, including whether your cloud provider is required to notify you of such requests. Legal teams should give due consideration to the wording in their orders for the discovery of cloud based data. Again, expert assistance can assist in ensuring that the appropriate information is collected in a timely manner. So, ask yourself, when your organisation is faced with litigation, or required to provide evidence as part of an investigation, how ready will you be?

7 Endnotes 1. See detail.aspx?news= See privacy-resources/privacy-fact-sheets/privacy-fact-sheet- 17-australian-privacy-principles_2.pdf. 3. See engaging-with-you/current-privacy-consultations/draft-app- Guidelines-2013/Draft_APP_Guidelines_Chapter_8.pdf 4. As defined by the Privacy Act 1988, Section 6, an agency would include most Commonwealth government bodies and representatives, including the AFP and the Federal Court. See pa /s6.html 5. Dirak Asia Pte Ltd and another v Chew Hua Kok and another [2013] SGHCR Dirak Asia Pte Ltd and another v Chew Hua Kok and another [2013] SGHCR 01 [12] 7. Ibid [11] 7 About the author Ronald Holtshausen Manager Perth rholtshausen@kordamentha.com Ronald specialises in the areas of IT security, fraud, data analytics for investigations, computer forensic investigations and e-discovery. He has experience working on engagements in Australia, Asia and South Africa. Prior to joining KordaMentha, Ronald s experience was obtained by working for Big 4 accounting firms in their IT security and forensic practices, providing services to large scale mining organisations, banking institutions and government entities.

8 KordaMentha Forensic Technology 8 KordaMentha identify, preserve, analyse and present potential electronic evidence in a forensically sound manner to effectively support litigation, corporate and regulatory investigations involving: intellectual property (IP) infringement and theft corporate fraud and financial crime contractual disputes defamation and harassment identity theft misuse or unauthorised access to computing or Internet resources. Forensic technology Our experts have the technical qualifications and experience to forensically analyse a variety of electronic devices including personal computers, computer servers, mobile phones, digital media recorders and players from both common and complex technology environments. ediscovery KordaMentha has had significant exposure to some of Australia s largest matters in recent history. We have the technical qualifications and experience to deliver effective ediscovery advice and solutions, including early case assessment, to significantly reduce the time and cost traditionally associated with ediscovery. Key contacts Owain Stone Head of Forensic Melbourne ostone@kordamentha.com Craig Macaulay Melbourne cmacaulay@kordamentha.com Nigel Carson Sydney ncarson@kordamentha.com Grant Whiteley Associate Director Perth gwhiteley@kordamentha.com Brendan Read Associate Director Brisbane bread@kordamentha.com Daniel Tay Associate Director Singapore dtay@kordamentha.com Briston Talbot Manager Adelaide btalbot@kordamentha.com

9 KordaMentha Forensic We provide clarity and objectivity to organisations when the commercial stakes are high, and the evidence is critical to the outcome. Our specialist forensic tools, rigorous analysis and clear presentation of the financial, factual and electronic information provides insights that are otherwise hidden in the detail of a dispute, investigation, or review. Melbourne Owain Stone ostone@kordamentha.com Robert Cockerell rcockerell@kordamentha.com Craig Macaulay cmacaulay@kordamentha.com Brisbane David Van Homrigh dvanhomrigh@kordamentha.com Brian Wood bwood@kordamentha.com Sydney Andrew Ross aross@kordamentha.com John Temple-Cole jtemplecole@kordamentha.com Nigel Carson ncarson@kordamentha.com Alex Bell abell@kordamentha.com Paul Curby pcurby@kordamentha.com Andre Menezes amenezes@kordamentha.com Perth Jarrod Baker Director jbaker@kordamentha.com Singapore Matthew Fleming mfleming@kordamentha.com Adelaide Stephen Duncan sduncan@kordamentha.com Briston Talbot Manager btalbot@kordamentha.com Subscribe to our publications at kordamentha.com/subscribe Learn more about our forensic services at kordamentha.com/forensic This publication, and the information contained therein, is prepared by KordaMentha Forensic s and staff. It is of a general nature and is not intended to address the circumstances of any particular individual or entity. It does not constitute advice, legal or otherwise, and should not be relied on as such. Professional advice should be sought prior to actions being taken on any of the information. The authors note that much of the material presented was originally prepared by others and this publication provides a summary of that material and the personal opinions of the authors. Limited liability under a scheme approved under Professional Standards Legislation.