Cloud Computing, Illegal Online Content Said to Necessitate Better International Teamwork
Cloud computing raises concerns for users, businesses and law enforcement agencies that only better international cooperation can address, speakers said at a Thursday workshop in Madrid on cross-border jurisdiction in cloud computing at the European Dialogue on Internet Governance. Cybercriminals freely engage in cross-border acts, but police tracking them are often stymied in their attempts to gather evidence, said Ioana Bogdana Albani, chief prosecutor in the terrorism and organized crime division of the Romanian Prosecutor General’s Office. ISPs and cloud service providers lack legal certainty about how to protect user privacy while complying with law enforcement demands, speakers said. ISPs are also facing increased demands to counter illegal content, they said.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Under the Council of Europe (CoE) cybercrime convention and national law, the police can make use of mutual legal assistance in investigating cross-border crimes, said Albani. But obtaining evidence over the Internet is awkward because investigators often don’t know where the information is, she said. Jurisdiction becomes an issue, and in some cases the police can’t search for evidence without permission from the destination country, Albani said. The tools for dealing with cybercrime are out of date, and there should perhaps be an international agreement allowing law enforcement bodies to work across borders, she said.
No principle of international public law allows extraterritorial investigations, said Henrik Kaspersen, a law professor at the Vrije Universiteit in Amsterdam. He recommended global accords for activities such as hot pursuit, as well as joint police teams to follow data across borders.
Cloud computing has been around 10 years, but it’s more complex now because more data are stored in more places, said European Internet Service Providers’ Association Vice President Michael Rotert. That complexity doesn’t just affect law enforcement, he said. As intermediaries, ISPs must obey data protection rules while also supporting law enforcement, he said. ISPs don’t want to deal with content, and what’s called the terrorism that’s the target of traffic data retention laws is “totally undefined,” he said.
The European Commission and EU governments are focused on network security, and the EC, expected to publish a report on the data retention directive on Sept. 15, has already announced that the law will be revised, said Microsoft Senior Policy Manager Cornelia Kutterer. EU foreign ministers said this week they'll look into creating a cybercrime agency, she said, which she called a “step in the right direction.” Cloud computing allows the digital internal market to grow, a point that shouldn’t be forgotten in the debate, she said. Companies need a clear regulatory environment to encourage deployment of services, she said.
The problem with cloud computing is finding out where the computer system and data are and how to get access to them, said Alexander Seger, head of the CoE economic crime division. Cloud data stored in a computer in a police agency’s home country can be accessed by normal search and seizure procedures, he said. Law enforcement can try to access cloud data hosted abroad with the help of officials from that country, he said.
Law enforcement officers seeking direct access to cloud data in another country can get it if they have voluntary and lawful consent from officials where the data is stored, Seger said. But it’s not clear whether a court can force ISPs or cloud service providers to intercept data stored on foreign servers, he said. These and other matters create many uncertainties for service providers, raising questions about the need for an international agreement, he said.
'No Clear Path’ on ISP Liability for Content
ISPs are increasingly on the defensive over their responsibility for undesirable content. It’s a complicated area because it’s not always clear whether material is harmful or illegal or not, said Nicholas Lansman of EuroISPA.
The purpose of the EU e-commerce directive was to balance the rights of users, ISPs, creators and rights owners across a range of services, content types and responsibilities, said Yahoo Public Policy Director Chris Sherwood. An ISP is not liable for infringing or other content without actual knowledge of it, but the legislation doesn’t clearly define “actual knowledge,” he said. So service providers aren’t motivated to voluntarily “pick the low-hanging fruit” in order to avoid liability for an array of activities, he said. He proposed that ISPs that act in good faith be given a safe harbor and that users who report content take some responsibility for dealing with it.
Increasing ISP liability for information they transmit privatizes the police function and creates administrative rather than judicial penalties, said Internet Society-European Chapters Coordinating Council Chairman Christopher Wilkinson. There’s a qualitative difference between criminal content such as terrorism sites and child abuse pornography and copyright infringement, he said. Copyright infringement should remain a civil offense because criminalizing it seriously distorts police priorities, he said.
Far from giving ISPs legal certainty, the e-commerce directive actually creates “privatized censorship,” said European Digital Rights member Meryem Mazouki. When a provider receives notice of illegal content, it decides whether it’s cheaper to take the website down or say the content is legal, she said. That doesn’t protect either users’ human rights or ISPs, she said.
In the U.K., hosting websites and ISPs are notified if illegal child abuses images are detected on an in-country server, and they have never failed to take down a site within 24 hours, said John Carr of the Alliance for Child Safety Online. The problem is that 99.7 percent of the sites come from abroad, 50 percent of those from the U.S., he said. Even if notices are served on overseas ISPs and the police are notified, images often stay up a long time, he said.
In 2004, British Telecom developed technology to block sites wherever they are, Carr said. Blocking is a “second best” solution but nothing else has worked, he said. Images should be removed and the people who posted them prosecuted, he said. Effective communication and less bureaucracy among police agencies is more effective than blocking, another EDRI representative said.
Blocking shouldn’t be encouraged because it disguises the symptoms of a problem that should be handled with education and awareness, said Ženet Mujic, senior adviser to the Organization for Security and Cooperation representative on freedom of the media. The organization favors Internet self-regulation, but it’s not always transparent or independent, she said.
The legal framework for ISP liability seems stable, but the role of service providers is becoming increasingly complex and subject to penalties, official reporter Michael Truppe of the Austrian Federal Chancellery legal service said. There’s a proposal at EU level to block child pornography websites, and in some countries there are public-private partnerships engaged in blocking, he said. There’s no uniform view across Europe, he said.
Truppe said his main concern is a bureaucracy that prevents governments from working together on taking down illegal content, he said. There’s “no clear path yet,” but international cooperation should be strengthened, he said. The conference ends Friday. Its conclusions will feed into the Internet Governance Forum in Vilnius, Lithuania, Sept. 14-17.