‘Cloud computing‘ offers an attractive and cost affordable proposition for businesses wanting to minimise the cost of conducting business operations by migrating from software applications installed on computers to web based solutions. Applications hosted on a central server means updates and maintenance undertaken by a cloud computing provider with the costs able to be shared between multiple users.
Many businesses are already using cloud computing whilst others are moving their operations into the cloud. This trend is going to pose new risks for businesses in terms of security, privacy and interference with businesses when law enforcement agencies seize a cloud computing server to access and copy electronic data residing on it for the purpose of criminal investigation.
Under present laws, Police and other authorities are required to obtain a search warrant to access content stored in the cloud.
In Liquid Motors, Inc. v. Lynd, No. 3:09-cv-0611-N (N.D. Tex. April 3, 2009) the Federal Bureau of Investigation (FBI) granted a search warrant to police to seize computer servers belonging to a cloud computing service provider.
The cloud computing provider Liquid Motors wasn’t subject to any allegations of wrongdoing, however the FBI had established that there was probable cause that a criminal enterprise had been using it’s servers and/or data stored in them to conduct criminal activities.
As the Pirate Bay confiscation in Sweden showed, innocent companies suffered significant downtime to their operations because their data happened to be housed in the same facility as those accused of online digital piracy.
As reported by Wired, Liquid Motors was a cloud computing service that providing national car dealers with stock management and Internet marketing services who was innocently caught up along with many other companies in an FBI raid and seizure at Core IP Networks in an investigation into VoIP fraud.
Liquid Motors wasn’t the subject or investigation of any wrongdoing however the seizure of their computers and backup tapes caused a significant disruption to their operations. It compromised their business, putting them in breach of their contracts with their customers and exposing them and other companies to economic loss.
Millions of dollars’ worth of computers, many of which were owned by companies who just happened to be co-located in the same data centre with no connection to the companies the subject of the investigation were confiscated. The service outages affected the continuity of business operations so badly that they were put out of business.
Liquid Motors brought an application before the U.S. District Court for the Northern District of Texas court for a restraining order and sought the release of the servers and equipment seized however the Court denied the request as it was satisfied that the FBI required continuing access to the servers to complete their investigation. The FBI informed the court it was working expeditiously to copy the data from the servers’ hard drive so it could return them to Liquid Motors as soon as possible. The FBI needed to obtain a forensically verifiable mirror image of data stored which had been used by the owner of the co-location facility Core IP networks to conduct fraudulent activities.
It is conceivable that the operations of a business may be interrupted by the needs of investigating bodies requiring access to stored information that may constitute evidence of a crime. This is a real risk that businesses face as cloud computing applications become more prolific until law enforcement agencies develop methods to be able to target and secure data without damaging third parties whose data happens to be housed with data they require access to. At present agencies don’t have the means to permit servers to continue functioning while records targeted for investigation are copied.
The case serves as a warning to customers to consider whether to adopt a strategy of spreading or duplicating data and services across multiple service providers located in multiple jurisdictions to avert damage to their operations and electronic data records. The lack of security of data held in the cloud may affect a business’ willingness to put business information remotely-hosted data centres.
Earlier this year Google announced that its web-based Gmail system had been hacked by attacks originating in China.