Status:
IGF Theme(s) for workshop: Security, Openness and Privacy
Main theme question address by workshop: Question 1, 4 and 5
Concise description of the proposed workshop:
The use of cloud services is rising globally. Million of users from around the world are using web-based email and cloud services that can store sensitive data such as private messages and personal documents and photos, as well as subscriber information identifying online users. Cloud services also store sensitive “records” data that can reflect a user’s location, contacts and actions over time. The data stored in a cloud service is accessible from any location through the Internet, which makes it very convenient. However, this often means that a user does not know where their data, or the records related to their data, is stored, and many cloud-based services use servers located throughout the world.
This shift to cloud services plainly creates new legal implications and challenges that can affect individuals, cloud service providers, and law enforcement agencies. If data is stored in a country with questionable human rights records or lax regulation on access to data, risks could arise for both the user of cloud services, as well as the company themselves that are storing the data. In light of the increasing reliance of cloud services for sensitive data, resolving these problems and gaining clarity and a shared understanding of the risks and benefits of cloud services is essential to enabling sustainable development alongside the protection of human rights. We seek to answer the jurisdictional challenges that crosscut the following questions.
● What are the challenges for law enforcement to obtain data in the cloud or for companies to comply with the legislation of a given country?
● What factors will determine when user data and records is available to a given local or federal law enforcement agency or private litigant?
● What role do server location, asset location, employee location and corporate structure play in determining who has access to user content and records stored with cloud services?
● What role can and should cloud services play in protecting their users from improper demands for access to user data and records?
● When do online service providers have to assist law enforcement agencies or civil litigants in an investigation (interception, disclosure of records or content) or in response to requests (preservation, retention, and disclosure of identity of anonymous users)?
● What options can and should subscribers have to protect their content that is stored with cloud services?
● What options can they have to protect the records related to their data (like their contacts, their true names, their location)
● What impact do jurisdictional and substantive laws have on the choices of cloud services as to where to locate their servers and their businesses?
● Does international law or international treaties stipulate some answers to these questions?
This workshop will address attempts to use the legal process to access cloud data, including its substantive, procedural, and jurisdictional aspects. We will discuss the international legal rules, particularly the Council of Europe Cybercrime Convention, on obtaining data for investigative purposes and how such rules "interact" with some national laws. We will explore various dimensions of this issue, from the sometimes covert investigative tools law enforcement agencies use to seize data in the cloud, to laws compelling companies to hand over data, to the practices companies are using to challenge flawed complaints and foster transparency on government access requests. There is an urgent need to address these jurisdictional issues that could subject the data of an individual to the rule of multiple jurisdictions with unfamiliar or unacceptable national laws.
Background Paper:
Name of the organiser(s) of the workshop and their affiliation to various stakeholder groups:
Tamir Israel, Staff Attorney, The Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic (CIPPIC), University of Ottawa (Canada)
Katitza Rodriguez, International Rights Director, Electronic Frontier Foundation (Peru)
Have you, or any of your co-organisers, organised an IGF workshop before?: Yes
Please provide link(s) to workshop(s) or report(s):
http://www.intgovforum.org/cms/component/chronocontact/?chronoformname=WSProposalsReports2010View&wspid=66
http://www.intgovforum.org/cms/component/chronocontact/?chronoformname=Workshops2011View&wspid=160
Provide the names and affiliations of the panellists you are planning to invite:
Teresa Scassa, Canada Research Chair in Information Law at the University of Ottawa; (Academic)
Katitza Rodriguez, International Rights Director, Electronic Frontier Foundation; (Peru). (Civil Society)
Bruce Schneier, Chief Security Technology Officer of BT. (USA) (Business Sector)
Laurent Bernard, Policy Analyst, Organization for Economic Cooperation and Development (International)
Sergio Suiama, Prosecutor from the State of Sao Paulo (Brazil) (invited)
Bertrand La Chapelle, Program Director at International Diplomatic Academy.
A cloud provider (TBC)
Name of Remote Moderator(s):
Jillian York (TBC)