It's too hard to get the data of Australian criminals when it's stored overseas

This article is part of a series on how law enforcement is fighting crime across digital borders.

Solving crimes and prosecuting criminals depends on efficient access to evidence. Technology has not changed that.

What has changed, however, is that much of that evidence has migrated online. Most importantly, it’s often stored overseas.

This is true for so-called cybercrime, and for traditional “offline” acts. For example, prosecuting a murder, rape or child abduction may depend on access to e-mails, search history and mobile phone locations – all data that may be stored on overseas servers.

This presents problems for Australia, and needs to be addressed.

Read More: Spyware merchants: the risks of outsourcing government hacking

The movement of evidence to the online cloud in particular means that the efficiency of the Australian police depends directly on the level of cooperation provided by overseas actors.

They need help from law enforcement agencies in other countries, or the assistance of tech giants such as Google, Amazon, Microsoft, Facebook and Apple, which actually hold the data.

The concern is that support from overseas law enforcement typically involves a slow and cumbersome process, while the assistance of the tech giants rests on uncertain legal ground.

Mutual Legal Assistance treaties

The traditional method for accessing evidence in another country is via Mutual Legal Assistance Treaties (MLATs). Australia has entered into many such agreements.

For example, Australian police may request that US law enforcement agencies acquire crime-related information from the relevant US-based technology company.

This process often takes months, and it’s widely accepted that the MLAT structure is opaque and under too much stress due to the volume of requests.

The alternative is for law enforcement to make requests directly to the tech companies, but this can be legally fraught and involves a complex matrix of interests.

Microsoft, for example, is in a difficult position. The US government served a search warrant in 2013 authorising the search and seizure of information associated with a specified e-mail account. Microsoft opposed it, given that the emails are stored on servers in Dublin, Ireland.

If it complies with the US request for data, it risks violating European data protection law that imposes restrictions on the cross-border transfer of data. The US Justice Department has petitioned for the Supreme Court to resolve the matter.

Dated legal thinking

One of the key obstacles for progress is found in the law’s focus on “territoriality”.

Drawing on outdated thinking cemented in a 1920s case involving colliding steam ships, international law attaches great significance to where data are located.

But online, it’s easy for criminals to move data around as they wish, and it’s not always possible to ascertain its geographic location.

We need to move away from territoriality as a core principle of jurisdiction.

A new framework, which better reflects the world we live in today, could involve a multi-factor test for jurisdiction. It could allow cross-border access where the overseas country has a legitimate interest in data stored in another country, among other requirements.

An urgent dilemma with solutions in sight

A variety of groups are trying to fix these problems.

The Council of Europe is working on providing further guidance on how its Cybercrime Convention, of which Australia is a party, can address these concerns.

The Internet and Jurisdiction Policy Network – a Paris-based global multi-stakeholder policy network addressing the tension between the cross-border internet and national jurisdictions – has brought together a Contact Group consisting of experts from academia, industry, government, policy groups and law enforcement.

The European Union Commission is also working on this topic and is currently undertaking a consultation until October 2017.

In addition to these international and regional initiatives, the US and UK governments are working on a bilateral arrangement for reciprocal cross-border access to data.

The US is also considering changes to its Electronic Communications Privacy Act (ECPA) that could cater for US tech companies voluntarily disclosing user content data to foreign law enforcement under specific guarantees and safeguards.

Legal uncertainty benefits no one, apart from the criminals

Certainty around these issues is vital, but while law enforcement, victims and society all have an interest in the efficient transfer of evidence, the solution is not simple.

The suspect also has an interest in the integrity of evidence, due process and a fair trial.

Both the suspect and the public more broadly have important privacy needs that must be protected. Suspicion of some petty crime should not automatically give police access to a suspect’s full online life, such as their entire Facebook history.

Read More: Australia’s car industry needs cybersecurity rules to deal with the hacking threat

We must also consider the interests of the countries in which the data are located. Imagine if North Korea demanded that an Australian tech company hand over data about local dissidents. Would we want the company to comply?

Finally, the tech companies themselves have legitimate interests. Particularly in avoiding being squeezed between contradictory rules in different legal systems.

The success of any new policy depends on striking an appropriate balance.

Unfortunately, the chaotic situation we are faced with currently hinders the work of law enforcement, and also fails to protect privacy rights – it only benefits the criminals.