The US Department of Justice (DoJ) has released new guidelines for prosecutors that want to seize data in the context of a criminal inquiry. The text advises that, where possible, rather than issue data requests to cloud providers, as was formerly the norm, they address the enterprise entrusted with the data directly. 

By the term ’enterprise,’ the DoJ means entities “that pay service providers to store electronic communications and other records,” including companies, government agencies and universities.  

Progress?

Bald eagle
– Purestock/Thinkstock

According to the DoJ, before the advent of the cloud the contents of email accounts were usually obtained directly at enterprise level, through subpoenas “or other types of information requests or through targeted search warrants.”

However, an increasing number of requests have been made to cloud providers in recent years, as they constitute a third party with access to the data.

“In general, CCIPS has found many cloud providers are sensitive to the concerns of investigators and prosecutors—including concerns about jeopardizing the integrity of an investigation,” the statement said.

The DoJ now advises that prosecutors determine which party is best suited to provide the data - with enterprise seen at the most likely source of information. 

“Consideration should be given to whether the request should be redirected to the enterprise, as well as whether any protective order can be narrowed to permit the provider to notify an appropriate official at the enterprise without posing a risk to the integrity of the investigation.” 

The guidance warns that prosecutors must take precautions in cases where enterprise risks destroying information prior to its seizure, or isn’t capable of isolating the necessary data. If any of this is considered a risk, law enforcement agencies are encouraged to turn to cloud providers, that, it says, “understand that these situations may exist and will work with law enforcement to address these concerns.” 

Microsoft has come out in support of the new guidelines, with the company’s lead commerical attorney Neal Suggs calling them “a step in the right direction toward providing even greater protections for the cloud. They give clear and useful guidance to law enforcement, which will help them better investigate crimes and keep us safe, and help provide peace of mind for businesses to know that they trust and control the security of the data they store in the cloud.”

Microsoft says the new recommendations “build upon the policies it recently introduced in October 2017,” when the DoJ updated its policy on so-called “sneak-and-peak” searches, to allow companies to notify their customers if their data is to be handed over to authorities. 

“These new recommendations represent a growing awareness that requests for data should be case-specific and should, to the extent possible, be directed to the enterprises that own their data.”

Microsoft is pending an appeal at the US Supreme Court, as the DoJ wishes to obtain emails stored in one of its data centers in Ireland, pertaining to a criminal case involving an Irish citizien. The company stated that ”more remains to be done to ensure that digital documents and communications stored in the cloud receive the same legal protections as physical documents stored in a filing cabinet, and Microsoft will continue to advocate for new legislation that reforms the outdated laws that currently govern these issues.”