UK Cloud Computing Interception - nothing new. Clive Gringras. Olswang LLP 2011 www.olswang.com 1



Similar documents
Regulation of Investigatory Powers Act 2000

EXPLANATORY MEMORANDUM TO THE DATA RETENTION (EC DIRECTIVE) REGULATIONS No. 2199

Interception of Communications Code of Practice. Pursuant to section 71 of the Regulation of Investigatory Powers Act 2000

Online Research and Investigation

CONSULTATION PAPER ON A CODE OF PRACTICE FOR VOLUNTARY RETENTION OF COMMUNICATIONS DATA

THE UK S ANTI-MONEY LAUNDERING LEGISLATION AND THE DATA PROTECTION ACT 1998 GUIDANCE NOTES FOR THE FINANCIAL SECTOR. April 2002

DRAFT DATA RETENTION AND INVESTIGATORY POWERS BILL

Cloud and surveillance

Trust and transparency. Small Business, Enterprise and Employment Bill: Trust and transparency

Exclusive: Storm over Big Brother database

Draft Communications Data Bill

Inquiry into the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014

Retention of Communications Data Code of Practice

STFC Monitoring and Interception policy for Information & Communications Technology Systems and Services

Surveillance Camera Code of Practice. June 2013

Cybercrime: risks, penalties and prevention

7 August I. Introduction

Template for Automatic Number Plate Recognition (ANPR) Infrastructure Development Privacy Impact Assessment

EUROPEAN CENTRAL BANK

COMMISSION OF THE EUROPEAN COMMUNITIES. Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

MI5. Careers Guide 2012/13. Owing to the sensitivity of our work, we do not publicly disclose the identities of our staff.

Nine Steps to Smart Security for Small Businesses

Data Privacy in the Cloud: A Dozen Myths & Facts

THE STRATEGIC POLICING REQUIREMENT. July 2012

THOMSON REUTERS HUMAN RIGHTS LAW CONFERENCE Privacy, data retention and state surveillance: Digital Rights Ireland.

An overview of UK data protection law

OFFICIAL. Operational Case for the Retention of Internet Connection Records

Sport and Sports Betting Integrity Action Plan Britain s approach to address risks to the integrity of sport and sports betting

Privacy, data retention and terrorism

Insights and Commentary from Dentons

Retention of Communications Data

A GUIDE TO CRIMINAL INJURIES COMPENSATION

How to Monitor Employee Web Browsing and Legally

Data Retention and Investigatory Powers Bill

CCBE RECOMMENDATIONS FOR THE IMPLEMENTATION OF THE DATA RETENTION DIRECTIVE

29 October 2015 Conference of the Independent Data Protection Authorities of the Federation and the Federal States

Five Myths Regarding Privacy and Law Enforcement Access to Personal Information in the European Union and the United States

A GUIDE TO COMPLETING THE RIP(S)A FORMS FOR COVERT SURVEILLANCE AND CHIS

Street Bail. Head of Custody. OBSU Policy Unit

Guidance on political campaigning

HOW WILL FRANCHISORS IN EUROPE MEET THE CHALLENGES EU PROPOSED CYBERCRIME DIRECTIVE

Thank you for your request for information regarding ACPO UAS Steering Group which has now been considered.

Acquisition and Disclosure of Communications Data

Mark Corcoran interviews Timothy Pilgrim Australian Privacy Commissioner.

Committee on Civil Liberties, Justice and Home Affairs - The Secretariat - Background Note on

Privacy & Data Security: The Future of the US-EU Safe Harbor

InsureTech 2015: Addressing cybersecurity and fraud in the ME insurance industry

Data Protection Division Guidance Note Number 10/08

The New Misleading Marketing Regime May 2008

No Cloud Over the Patriot Act. March 2012 M

COMMISSION OF THE EUROPEAN COMMUNITIES GREEN PAPER

Minister Shatter presents Presidency priorities in the JHA area to European Parliament

Monitoring and Logging Policy. Document Status. Security Classification. Level 1 - PUBLIC. Version 1.0. Approval. Review By June 2012

2015docs\INSLM02. 1 See Intelligence Services Act 1994, s 5(1): No entry on or interference with property or with wireless telegraphy

T.38 fax transmission over Internet Security FAQ

ETNO Expert Contribution on Data retention in e- communications - Council s Draft Framework Decision, Commission s Proposal for a Directive

Royal Air Force Club

Strategic Priorities for the Cooperation against Cybercrime in the Eastern Partnership Region

Norwegian Data Inspectorate

REPORT ON. CONFIDENTIALITY AND DATA PROTECTION IN THE ACTIVITY OF FIUs 1. (Good practices)

Jurisdiction in the Cloud: Clear Rules to Build Confidence in Cloud Computing. Steve Mutkoski Worldwide Policy Director Microsoft Corporation

PIPEDA and Online Backup White Paper

PROVINCE OF BRITISH COLUMBIA. Summary Review. Anti-Money Laundering Measures at BC Gaming Facilities

Disclosure Scheme. The Domestic Violence. Keeping People Safe from Domestic Violence

Knowledge. Practical guide to competition damages claims in the UK

A tool for small-to-medium sized businesses. Anti-Money Laundering and Counter-Terrorism Financing Act 2006

Purpose of this document

FSA reports on how banks deal with high-risk customers, correspondent banking relationships and wire transfers

Client Update Fourth Anti-Money Laundering Directive Comes Into Force

I begin by observing that Intelligence Agencies in any free society should not be treated with unqualified enthusiasm.

HMG Security Policy Framework

Legal Framework to Combat Cyber Crimes in the Region: Qatar as a Model. Judge Dr. Ehab Elsonbaty Cyber Crime expert ehabelsonbaty@hotmail.

Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL. Rebuilding Trust in EU-US Data Flows

INFORMATION SECURITY POLICY. Contents. Introduction 2. Policy Statement 3. Information Security at RCA 5. Annexes

Changes to disclosure and barring: What you need to know

Section II. Privacy and Legislation. Sanjay Goel, School of Business, University at Albany, SUNY

Questions and Answers about ANPR systems

Firewalls for small business

Encryption and Digital Signatures

Australia s counter-terrorism laws

Civil Rights, Security and Consumer Protection in the EU

The USA Patriot Act Government Briefing. Kirsten Tisdale, Chris Norman, Sharon Plater & Alexandra (Gina) Henley September 30, 2004

Monitoring Employee Communications: Data Protection and Privacy Issues

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS

Statutory Disclosure Guidance. Second edition August 2015

Enforced subject access (section 56)

An Overview of Cybersecurity and Cybercrime in Taiwan

Protecting betting integrity

Safeguarding your organisation against terrorism financing. A guidance for non-profit organisations

In accordance with Article 14(5) of the Rules of Procedure of the Board of Supervisors, 2 the Board of Supervisors has adopted this Opinion.

Cloud Computing: Privacy and Other Risks

(4) THAMES VALLEY POLICE of Oxford Road, Kidlington, OX5 2NX ("Police Force"),

THE EUROPEAN UNION, of the one part, and. THE UNITED STATES OF AMERICA, of the other part, Together hereinafter referred to as "the Parties",

The Internet and Corporate Reputation

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 February /05 LIMITE COPEN 35 TELECOM 10

The HR Skinny: Effectively managing international employee data flows

Criminal Records Checks on Councillors

General Terms & Conditions

PO BoxA147 Sydney South NSW November 2014

Transcription:

UK Cloud Computing Interception - nothing new Clive Gringras Olswang LLP 2011 www.olswang.com 1

UK Cloud Computing Interception - nothing new Some UK cloud-computing customers are concerned that they should not entrust US cloud-providers with their data for fear of US law enforcement interception. If interception is so much of a concern they should not only avoid US cloud providers but also should avoid using the UK s telephone, the Internet, and the postal system. The interception of communications, whether stored in the 21 st Century cloud or sealed in 16 th Century scrolls, and whether here in the UK or in the US, is nothing new. All communications data, where justified, may be intercepted by the State s watchful and proportional eye. Any access to communications data by public authorities is an intrusion into someone s privacy. To be justified, such intrusion must satisfy the principles of necessity and proportionality These are not the post 9/11 words of a US legislator justifying new legislation to spy on unwitting citizens; they are the words in June from the UK s Interception of Communications Commissioner, Sir Paul Kennedy. Both the US and the UK (together with many other EU Member States) have morally-principled and strong legislation allowing their State s machinery to intercept certain electronic communications stored and transmitted through the cloud. True, the two countries differ in branding: the USA uses the optimistically-pitched PATRIOT Act whilst Britain uses the graveyard-echoing RIP Act. Naming apart, both nations regimes are concerned to intercept, across every system, the plotting and evidence of society s most feared and serious offences. Aware of the mobility of today s criminals and terrorists, legislators in the US and the UK, wanted interception rules to apply to any traffic passing through communications equipment in their territories. These legislators wanted to ensure that terrorists and serious criminals cannot find a digital safe haven in either the UK or the US nor can they simply hide from view by diving behind the firewall of an unwitting enterprise hosted on a cloud computing service. Businesses on either side of the Atlantic wanting to take advantage of cloud computing must accept that just as terrorists might squat in their systems in the UK or in the US, so law enforcement must have rights to intercept communications, whether in Newcastle or New York. Olswang LLP 2011 www.olswang.com 1

This article briefly sets out the parameters of the USA PATRIOT Act before looking in greater detail at the framework and workings of UK s RIP Act. This analysis will reveal that UK businesses will not escape interception merely by shifting from a cloud provider in the US to one in the UK, or even elsewhere in the EU; to remove entirely a business s exposure to interception one needs to take the Luddite step of stopping all phone calls, all use of the internet and mobile phones and of stopping using any postal systems. In the dark shadow of the 9/11 attacks, the US government joined other governments in strengthening their powers of interception of and access to enterprise customer s data. No doubt with the final acronym in mind, on 26 October 2001 the US passed the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001. The USA Patriot Act was mainly an update to pre-existing federal statutes. For example, the Act stretched the investigative tools previously available to fight organised crime to include fighting terrorism. The Act also extended the authorities to defeat cross-border money laundering and terrorism funding. Providing no novel state powers, this legislation was more re-brand than new regulation. And crucially, the Patriot Act, has checks and balances, and oversight, as to when and why data is accessed. A full year earlier on 2 October 2000, the UK brought into force the Regulation of Investigatory Powers Act 2000, or RIPA. Not unlike its US cousin, the RIPA also was not novel. Interception has been on the British Statute book since at least 1663 and the British State is not unfamiliar with interceptions and de-encryption of communications. In the late 1500's Sir Francis Walsingham worked for Queen Elizabeth I, to intercept, and with Thomas Phelippes, decipher and forge, letters between Mary Queen of Scots and her treasonous plotters. The cloud, just like the letters to Queen Mary and the messages intercepted in 1940 s Bletchley Park, merely provides a different medium through which much good, but sometimes bad, communications are shared. RIPA regulates interception of the content of communications as well as disclosure of information as to the who, where and when of these communications. Just as serious criminals and terrorists will resort to using email, letters, phone calls and text messages, so the legislation permits the interception, where appropriate, of these and other communication media. UK Cloud-based communications systems are certainly within RIPA s ambit, but so are the Royal Mail and every UK mobile phone network. Legislators have sought to ensure that criminals and terrorists cannot hide from detection by merely using one form of communication over another. Although the types of communication are wide, the power to intercept the content of communications (or the power to access data about the communication) is not provided lightly nor widely. It can only be used relation to the prevention and detection of acts of terrorism and other national security interests and for the prevention and detection of serious crime and in order to safeguard the economic well-being of the UK. Even within these areas, the powers can only be legitimately deployed when it is necessary and proportionate to do so. Olswang LLP 2011 www.olswang.com 2

The set of government bodies with the rights to intercept these communications naturally are limited to those with investigation and detection remits over the types of offences listed above. As one might expect, therefore, the security services, police forces, local authorities and others can request the information from the relevant communication service provider. Despite this narrow set of intercepting bodies, last year, UK authorities issued almost two-thousand intercept warrants, prompted by "growing problems from serious crime and threats to national security. In the same period, UK public authorities as a wholesubmitted over half-a-million requests for communications data. Whilst nearly two thirds of these requests were for subscriber data (usually in the form of enquiries to determine who owns a mobile phone) there will be some enterprises who see this figure and make the decision that they want to keep their data away from the risks of interception. If they make that decision, after they cancel their phone contracts and disconnect from the Internet, they should remember also to stop sending and receiving letters and parcels too. Clive Gringras Head of Technology T: +44 20 7067 3189 E: clive.gringras@olswang.com The information contained in this update is intended as a general review of the subjects featured and detailed specialist advice should always be taken before taking or refraining from taking any action. Olswang LLP 2011 www.olswang.com 3

Berlin Brussels London Madrid Paris Thames Valley +49 (0) 30 700 171 100 +32 2 647 4772 +44 (0) 20 7067 3000 +34 91 187 1920 +33 17 091 8720 +44 (0) 20 7067 3000 www.olswang.com 5632988-1

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information